repeatatively creating sync_super for www-data which is showing high CPU usage
Clash Royale CLAN TAG#URR8PPP up vote
1
down vote
favorite
I am facing same kind of problem of having sync_supers recreated on my server, which are using high CPU usage:
4353 www-data 20 0 24392 3888 1012 R 100.0 0.0 13:15.26 [sync_supers]
5268 www-data 20 0 24392 3888 1012 R 100.0 0.0 9:42.56 [sync_supers]
4344 www-data 20 0 24264 3744 876 R 99.7 0.0 70:22.26 [sync_supers]
6792 www-data 20 0 24392 3892 1012 R 85.5 0.0 7:16.08 [sync_supers]
I have deleted few but again recreated with different pid.
Please help.
I am not expertised in Ubuntu and linux, so bit difficult to trace the issue.
Thank you very much.
cpu-load
edited Apr 26 at 11:17
ponsfrilus
495213
asked Apr 26 at 10:48
Deepti
62
add a comment |Â
up vote
1
down vote
favorite
I am facing same kind of problem of having sync_supers recreated on my server, which are using high CPU usage:
4353 www-data 20 0 24392 3888 1012 R 100.0 0.0 13:15.26 [sync_supers]
5268 www-data 20 0 24392 3888 1012 R 100.0 0.0 9:42.56 [sync_supers]
4344 www-data 20 0 24264 3744 876 R 99.7 0.0 70:22.26 [sync_supers]
6792 www-data 20 0 24392 3892 1012 R 85.5 0.0 7:16.08 [sync_supers]
I have deleted few but again recreated with different pid.
Please help.
I am not expertised in Ubuntu and linux, so bit difficult to trace the issue.
Thank you very much.
cpu-load
edited Apr 26 at 11:17
ponsfrilus
495213
asked Apr 26 at 10:48
Deepti
62
Be sure to patch any Drupal sites you have running. theregister.co.uk/2018/04/25/…
– Matt Raines
Apr 26 at 13:12
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I am facing same kind of problem of having sync_supers recreated on my server, which are using high CPU usage:
4353 www-data 20 0 24392 3888 1012 R 100.0 0.0 13:15.26 [sync_supers]
5268 www-data 20 0 24392 3888 1012 R 100.0 0.0 9:42.56 [sync_supers]
4344 www-data 20 0 24264 3744 876 R 99.7 0.0 70:22.26 [sync_supers]
6792 www-data 20 0 24392 3892 1012 R 85.5 0.0 7:16.08 [sync_supers]
I have deleted few but again recreated with different pid.
Please help.
I am not expertised in Ubuntu and linux, so bit difficult to trace the issue.
Thank you very much.
cpu-load
edited Apr 26 at 11:17
ponsfrilus
495213
asked Apr 26 at 10:48
Deepti
62
I am facing same kind of problem of having sync_supers recreated on my server, which are using high CPU usage:
4353 www-data 20 0 24392 3888 1012 R 100.0 0.0 13:15.26 [sync_supers]
5268 www-data 20 0 24392 3888 1012 R 100.0 0.0 9:42.56 [sync_supers]
4344 www-data 20 0 24264 3744 876 R 99.7 0.0 70:22.26 [sync_supers]
6792 www-data 20 0 24392 3892 1012 R 85.5 0.0 7:16.08 [sync_supers]
I have deleted few but again recreated with different pid.
Please help.
I am not expertised in Ubuntu and linux, so bit difficult to trace the issue.
Thank you very much.
cpu-load
edited Apr 26 at 11:17
ponsfrilus
495213
asked Apr 26 at 10:48
Deepti
62
edited Apr 26 at 11:17
ponsfrilus
495213
edited Apr 26 at 11:17
ponsfrilus
495213
edited Apr 26 at 11:17
ponsfrilus
495213
495213
asked Apr 26 at 10:48
Deepti
62
asked Apr 26 at 10:48
Deepti
62
asked Apr 26 at 10:48
Deepti
62
62
Be sure to patch any Drupal sites you have running. theregister.co.uk/2018/04/25/…
– Matt Raines
Apr 26 at 13:12
add a comment |Â
Be sure to patch any Drupal sites you have running. theregister.co.uk/2018/04/25/…
– Matt Raines
Apr 26 at 13:12
Be sure to patch any Drupal sites you have running. theregister.co.uk/2018/04/25/…
– Matt Raines
Apr 26 at 13:12
Be sure to patch any Drupal sites you have running. theregister.co.uk/2018/04/25/…
– Matt Raines
Apr 26 at 13:12
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
1
down vote
It's probably malware. sync_supers was a kernel thread, which should never be running as www-data, and hardly using any resources. And it should not be in use on a 16.04-system.
So check your backup for malware, and nuke the machine, and reinstall from backups that you have verified is clean. A compromised system should probably not be trusted ever again, as it is difficult to find all backdoors that may have been left there.
answered Apr 26 at 12:12
vidarlo
6,98042139
Will you please guide me how to do it. I am using Drupal 7 and amazon linux server.
– Deepti
Apr 27 at 9:54
That's a fairly broad question in it's own right, but essentially create a new virtual server, and reinstall your application from backups, and make sure to patch it.
– vidarlo
Apr 27 at 10:03
add a comment |Â
up vote
0
down vote
I just answered this on stackoverflow but since it is not the place I will just let it here: this just happened to me and the answer is that you have been hacked!
Please check: https://forum.joomla.org/viewtopic.php?t=903755 on how to clean a possible backdoor left in some PHP file and here my response on additional steps on how to clean the rest here: https://www.linuxquestions.org/questions/linux-enterprise-47/troubleshootd-utilizing-high-cpu-and-memory-933116/
I would recommend updating your php and taking other security mesures like not providing your PHP version info and apache version in the server response. Reinstalling the system looks like a very cumbersome none-sense to me...
answered May 9 at 16:12
Carles Estevadeordal
1012
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
It's probably malware. sync_supers was a kernel thread, which should never be running as www-data, and hardly using any resources. And it should not be in use on a 16.04-system.
So check your backup for malware, and nuke the machine, and reinstall from backups that you have verified is clean. A compromised system should probably not be trusted ever again, as it is difficult to find all backdoors that may have been left there.
answered Apr 26 at 12:12
vidarlo
6,98042139
Will you please guide me how to do it. I am using Drupal 7 and amazon linux server.
– Deepti
Apr 27 at 9:54
That's a fairly broad question in it's own right, but essentially create a new virtual server, and reinstall your application from backups, and make sure to patch it.
– vidarlo
Apr 27 at 10:03
add a comment |Â
up vote
1
down vote
It's probably malware. sync_supers was a kernel thread, which should never be running as www-data, and hardly using any resources. And it should not be in use on a 16.04-system.
So check your backup for malware, and nuke the machine, and reinstall from backups that you have verified is clean. A compromised system should probably not be trusted ever again, as it is difficult to find all backdoors that may have been left there.
answered Apr 26 at 12:12
vidarlo
6,98042139
Will you please guide me how to do it. I am using Drupal 7 and amazon linux server.
– Deepti
Apr 27 at 9:54
That's a fairly broad question in it's own right, but essentially create a new virtual server, and reinstall your application from backups, and make sure to patch it.
– vidarlo
Apr 27 at 10:03
add a comment |Â
up vote
1
down vote
up vote
1
down vote
It's probably malware. sync_supers was a kernel thread, which should never be running as www-data, and hardly using any resources. And it should not be in use on a 16.04-system.
So check your backup for malware, and nuke the machine, and reinstall from backups that you have verified is clean. A compromised system should probably not be trusted ever again, as it is difficult to find all backdoors that may have been left there.
answered Apr 26 at 12:12
vidarlo
6,98042139
It's probably malware. sync_supers was a kernel thread, which should never be running as www-data, and hardly using any resources. And it should not be in use on a 16.04-system.
So check your backup for malware, and nuke the machine, and reinstall from backups that you have verified is clean. A compromised system should probably not be trusted ever again, as it is difficult to find all backdoors that may have been left there.
answered Apr 26 at 12:12
vidarlo
6,98042139
answered Apr 26 at 12:12
vidarlo
6,98042139
answered Apr 26 at 12:12
vidarlo
6,98042139
answered Apr 26 at 12:12
vidarlo
6,98042139
6,98042139
Will you please guide me how to do it. I am using Drupal 7 and amazon linux server.
– Deepti
Apr 27 at 9:54
That's a fairly broad question in it's own right, but essentially create a new virtual server, and reinstall your application from backups, and make sure to patch it.
– vidarlo
Apr 27 at 10:03
add a comment |Â
Will you please guide me how to do it. I am using Drupal 7 and amazon linux server.
– Deepti
Apr 27 at 9:54
That's a fairly broad question in it's own right, but essentially create a new virtual server, and reinstall your application from backups, and make sure to patch it.
– vidarlo
Apr 27 at 10:03
Will you please guide me how to do it. I am using Drupal 7 and amazon linux server.
– Deepti
Apr 27 at 9:54
Will you please guide me how to do it. I am using Drupal 7 and amazon linux server.
– Deepti
Apr 27 at 9:54
That's a fairly broad question in it's own right, but essentially create a new virtual server, and reinstall your application from backups, and make sure to patch it.
– vidarlo
Apr 27 at 10:03
That's a fairly broad question in it's own right, but essentially create a new virtual server, and reinstall your application from backups, and make sure to patch it.
– vidarlo
Apr 27 at 10:03
add a comment |Â
up vote
0
down vote
I just answered this on stackoverflow but since it is not the place I will just let it here: this just happened to me and the answer is that you have been hacked!
Please check: https://forum.joomla.org/viewtopic.php?t=903755 on how to clean a possible backdoor left in some PHP file and here my response on additional steps on how to clean the rest here: https://www.linuxquestions.org/questions/linux-enterprise-47/troubleshootd-utilizing-high-cpu-and-memory-933116/
I would recommend updating your php and taking other security mesures like not providing your PHP version info and apache version in the server response. Reinstalling the system looks like a very cumbersome none-sense to me...
answered May 9 at 16:12
Carles Estevadeordal
1012
add a comment |Â
up vote
0
down vote
I just answered this on stackoverflow but since it is not the place I will just let it here: this just happened to me and the answer is that you have been hacked!
Please check: https://forum.joomla.org/viewtopic.php?t=903755 on how to clean a possible backdoor left in some PHP file and here my response on additional steps on how to clean the rest here: https://www.linuxquestions.org/questions/linux-enterprise-47/troubleshootd-utilizing-high-cpu-and-memory-933116/
I would recommend updating your php and taking other security mesures like not providing your PHP version info and apache version in the server response. Reinstalling the system looks like a very cumbersome none-sense to me...
answered May 9 at 16:12
Carles Estevadeordal
1012
add a comment |Â
up vote
0
down vote
up vote
0
down vote
I just answered this on stackoverflow but since it is not the place I will just let it here: this just happened to me and the answer is that you have been hacked!
Please check: https://forum.joomla.org/viewtopic.php?t=903755 on how to clean a possible backdoor left in some PHP file and here my response on additional steps on how to clean the rest here: https://www.linuxquestions.org/questions/linux-enterprise-47/troubleshootd-utilizing-high-cpu-and-memory-933116/
I would recommend updating your php and taking other security mesures like not providing your PHP version info and apache version in the server response. Reinstalling the system looks like a very cumbersome none-sense to me...
answered May 9 at 16:12
Carles Estevadeordal
1012
I just answered this on stackoverflow but since it is not the place I will just let it here: this just happened to me and the answer is that you have been hacked!
Please check: https://forum.joomla.org/viewtopic.php?t=903755 on how to clean a possible backdoor left in some PHP file and here my response on additional steps on how to clean the rest here: https://www.linuxquestions.org/questions/linux-enterprise-47/troubleshootd-utilizing-high-cpu-and-memory-933116/
I would recommend updating your php and taking other security mesures like not providing your PHP version info and apache version in the server response. Reinstalling the system looks like a very cumbersome none-sense to me...
answered May 9 at 16:12
Carles Estevadeordal
1012
answered May 9 at 16:12
Carles Estevadeordal
1012
answered May 9 at 16:12
Carles Estevadeordal
1012
answered May 9 at 16:12
Carles Estevadeordal
1012
1012
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1028367%2frepeatatively-creating-sync-super-for-www-data-which-is-showing-high-cpu-usage%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Be sure to patch any Drupal sites you have running. theregister.co.uk/2018/04/25/…
– Matt Raines
Apr 26 at 13:12