Help - Search - Members - Calendar
Full Version: multiple nobody process
The Planet Forums > Control Panels > cPanel/WHM
3w-hostconcept
Dec 28 2004, 09:50 AM
hello

why httpd running nobody process?

12369 nobody 19 4 14344 13M 5732 S N 3.5 1.3 0:00 0 httpd
12372 nobody 22 4 14240 13M 5692 S N 2.7 1.3 0:00 0 httpd
12375 nobody 22 4 14332 13M 5672 S N 1.5 1.3 0:00 0 httpd
12368 nobody 21 4 13400 12M 5652 S N 1.3 1.2 0:00 0 httpd
12374 nobody 22 4 14248 13M 5672 S N 1.3 1.3 0:00 0 httpd
12373 nobody 20 4 11356 10M 5156 S N 0.5 1.0 0:00 0 httpd
12359 nobody 19 4 11932 11M 5536 S N 0.3 1.1 0:00 0 httpd
Gary Simat
Dec 28 2004, 10:32 AM
do you have any other httpd running as anyone else?
3w-hostconcept
Dec 28 2004, 10:50 AM
No another process running ...

The last week, We were affected by the worm SANTY (terrorworm) since, this, we have update php 4.3.10 and httpd has recompiled, and httpd running on nobody...
Thanks
eth00
Dec 28 2004, 10:57 AM
ps -auxf |grep httpd

Does it look like it is running under a single process started by root or are there individual process that do not appear part of the "tree"?
3w-hostconcept
Dec 28 2004, 11:05 AM
very strange , this is result of :

root 31193 0.0 0.7 24568 7964 ? SN 15:58 0:01 /usr/local/apache/bin/httpd -DSSL
nobody 24973 0.3 1.6 31488 16656 ? SN 17:35 0:06 _ /usr/local/apache/bin/httpd -DSSL
nobody 26050 0.2 1.5 31572 15724 ? SN 17:38 0:04 _ /usr/local/apache/bin/httpd -DSSL
nobody 26829 0.2 1.4 30120 15284 ? SN 17:41 0:03 _ /usr/local/apache/bin/httpd -DSSL
nobody 28984 0.2 1.4 29208 14408 ? SN 17:46 0:02 _ /usr/local/apache/bin/httpd -DSSL
nobody 28988 0.4 1.4 29260 14556 ? SN 17:46 0:04 _ /usr/local/apache/bin/httpd -DSSL
nobody 29425 0.2 1.3 28780 13912 ? SN 17:48 0:02 _ /usr/local/apache/bin/httpd -DSSL
nobody 30702 0.2 1.5 31080 16148 ? SN 17:53 0:01 _ /usr/local/apache/bin/httpd -DSSL
nobody 30707 0.3 1.4 30072 15176 ? SN 17:53 0:02 _ /usr/local/apache/bin/httpd -DSSL
nobody 31388 0.4 1.4 30212 15364 ? SN 17:56 0:01 _ /usr/local/apache/bin/httpd -DSSL
nobody 31390 0.4 1.4 29804 14932 ? SN 17:56 0:01 _ /usr/local/apache/bin/httpd -DSSL
nobody 31391 0.2 1.2 28304 13316 ? SN 17:56 0:01 _ /usr/local/apache/bin/httpd -DSSL
nobody 31516 0.2 1.4 29644 14844 ? SN 17:57 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 31940 0.4 1.1 27052 12084 ? SN 17:58 0:01 _ /usr/local/apache/bin/httpd -DSSL
nobody 31947 0.1 1.1 27256 12040 ? SN 17:58 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 32050 0.2 1.2 28212 13060 ? SN 17:59 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 32051 0.3 1.3 29292 14256 ? SN 17:59 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 32052 0.3 1.1 27428 12284 ? SN 17:59 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 32053 0.3 1.1 27204 12100 ? SN 17:59 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 704 0.3 1.2 27472 12440 ? SN 18:00 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 1301 0.4 1.1 27396 12108 ? SN 18:03 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 1310 0.0 0.8 24568 8368 ? SN 18:03 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 1311 1.0 1.1 27384 12228 ? SN 18:03 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 1312 0.0 0.8 24568 8264 ? SN 18:03 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 1313 0.0 0.8 24568 8376 ? SN 18:03 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 1314 1.2 1.3 28980 13904 ? SN 18:03 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 1315 0.4 1.1 27584 12268 ? SN 18:03 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 1316 0.2 1.0 26140 10820 ? SN 18:03 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 1317 0.9 1.1 27316 12044 ? SN 18:03 0:00 _ /usr/local/apache/bin/httpd -DSSL
nobody 1318 0.8 1.3 28772 13664 ? SN 18:03 0:00 _ /usr/local/apache/bin/httpd -DSSL
exo
Dec 28 2004, 02:32 PM
that's normal. Main httpd is started as root, and with every request your server get, it forks a child with user nobody.

This is how it works, so it's fine.
eth00
Dec 28 2004, 07:48 PM
If you see a process that is not forked by the main root process then you might have the worm installed on your server.
mahdionline
Jan 3 2005, 02:43 AM
Hi

I run :

# ps -auxf |grep httpd

and this is the resault :

nobody 12110 0.0 0.0 0 0 ? Z Jan02 0:00 _ [httpd nobody 28484 0.0 0.0 0 0 ? Z Jan02 0:00 _ [httpd
:confused: :eek: :confused:
exo
Jan 3 2005, 11:55 AM
I think you got more lines (as at least parent pid should be there). Having those defunct processes is normal. They are dieing processes. If you start to have too much defunct processess which dont end (they are called zombies process) then is when you need to start to look what's happening.

But having defunct processess (as far as they dissapear fast) isnt bad.
3w-hostconcept
Jan 3 2005, 11:58 AM
thank you exo and eth00
khmerstud
Feb 22 2006, 11:52 AM
5773 nobody 0 4.1 0.6 /usr/local/apache/bin/httpd -DSSL
3531 nobody 0 3.9 0.8 /usr/local/apache/bin/httpd -DSSL
3535 nobody 0 3.7 0.7 /usr/local/apache/bin/httpd -DSSL
3527 nobody 0 3.3 0.7 /usr/local/apache/bin/httpd -DSSL
5726 nobody 0 3.1 0.4 /usr/local/apache/bin/httpd -DSSL
5774 nobody 0 3.1 0.4 /usr/local/apache/bin/httpd -DSSL
5390 nobody 0 2.5 0.7 /usr/local/apache/bin/httpd -DSSL
3659 nobody 0 1.1 0.7 /usr/local/apache/bin/httpd -DSSL

it's killing my processor really bad!

and what is nobody 0 0.0 0.0 entropychat ?

Thanks
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.