5

Running top on my CentOS web server shows an instance of whois running from 99-100% of one of the CPUs.

I've not knowingly used whois on this server before, would it be safe just to kill this process?

Top's output:

top - 17:08:18 up 30 days, 21:18,  1 user,  load average: 1.00, 1.00, 1.00
Tasks: 100 total,   2 running,  98 sleeping,   0 stopped,   0 zombie
Cpu(s):  1.5%us, 50.3%sy,  0.0%ni, 48.2%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   1914132k total,  1673000k used,   241132k free,   205688k buffers
Swap:        0k total,        0k used,        0k free,  1008824k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                                       
18390 root      20   0  107m 1252  936 R 100.0  0.1  10689:41 whois                                                                                                         
19848 mysql     20   0 1456m  93m 7084 S  0.3  5.0  27:51.13 mysqld                                                                                                         
    1 root      20   0 19232 1444 1168 S  0.0  0.1   0:00.67 init                                                                                                           
    2 root      20   0     0    0    0 S  0.0  0.0   0:00.00 kthreadd                                                                                                       
    3 root      RT   0     0    0    0 S  0.0  0.0   0:05.93 migration/0                                                                                                    
    4 root      20   0     0    0    0 S  0.0  0.0   0:01.49 ksoftirqd/0
Simon27
  • 151
  • 1
  • 3
  • 1
    it should be safe to kill the process: `ps aux | grep "whois"` and then `kill` – Simply_Me Oct 30 '14 at 17:26
  • 1
    You'll be able to see the exact command line invocation (`whois foobar` or whatever) by toggling the display in `top` with the `c` key. – goldilocks Oct 30 '14 at 17:44
  • Ah! Should I be concerned that it's run `whois 117.27.158.88`? Running this myself shows it belongs to Chinanet Hostmaster – Simon27 Oct 30 '14 at 17:50
  • If you think it is malicious then see if there is another `whois` on your machine. (`find` is an excellent tool for such a thing) – SailorCire Oct 30 '14 at 18:59
  • 1
    My guesses: malicious whois (as @SailorCire suggests), using `find`, `locate`, or `whereis whois` can help you find. Another possibility: hanging network connection to dead remote socket. `lsof` or `netstat` can help you see this. –  Oct 30 '14 at 23:29
  • Thanks for your help - I'm currently looking to the source of this with the hosting company. – Simon27 Oct 31 '14 at 13:45
  • 2
    Maybe it is started by fail2ban. see http://www.rentpbx.com/support/knowledgebase/61/High-CPU-usage-due-to-whois-process.html – hpn Mar 27 '15 at 17:02
  • Another good investigation tool is `strace`; then you can see what the process is actually *doing* before you kill it. `strace` output is fairly dense to read but you could find the malicious activity (if any) by digging through it. – Wildcard Jan 02 '16 at 06:42

1 Answers1

2

For future Googlers. I had the same problem today whois was using 99% of the cpu. As @hpn mentioned fail2ban using whois and for some reason it stuck. I killed the process and fail2ban continued to work normally. I guess it's a one time thing because had this issue for the first time since 3 years.

Ergec
  • 121
  • 4
  • I just saw it happening in my sever too. I googled a while, I still can't find an easy solution (I mean to prevent it from happening in the future again) – Joe Huang Dec 12 '15 at 23:05