0

Need help as i don't understand why the 8 CPU of Core 0 run at 100% us. 8 others Cpu on core 1 are normal.

The rigth column P on figure correspond to "Last Used CPU" order by Cpu asc.

Thank's for all suggestions

screenshot of "top" command

An process sorted by TIME+

To reply to AlexD. There is no such optimisations on Elastic. Anyway, i stopped it, as Solr and Nginx. But always 100% on first 8 CPU.

The server run very nicely for a while.

Just a strange things some days ago :

I had a problem to connecting via ssh. Its strange /usr/sbin/sshd file changed from root:root to root:user_i_use_to_connect

And lsattr of /usr/sbin/sshd changed to -u---a--------e---- instead of --------------e----

telcoM
  • 96,466
xspe
  • 1
  • Sort processes by 'TIME+' column. – AlexD Feb 08 '24 at 11:32
  • Thanks a lot for your reply . I just updated my original post to add the Screenshot of Process sorted by TIME+ –  Feb 08 '24 at 16:43
  • If you use htop and enable detailed CPU statistics and show userland threads, what do you see then? – Halfgaar Feb 08 '24 at 17:03
  • I wonder if someone 'optimized' the system and forced some subset of programs to run on the first 8 cores. Someone set elastic to run with nice 4. I would check it first. – AlexD Feb 08 '24 at 17:46
  • Actually, it is the other way around. For some reason, only kernel tasks and atop have a value < 8 in the P column in the last top output and they are all in the lower half of top. But cores < 8 consume 98-100% of us not system so it is a userspace task running there. Hidden miner? – AlexD Feb 08 '24 at 18:38
  • Thank you a lot Alex. I will have a look to this way. Sure i will learn a lot to try found it. –  Feb 08 '24 at 19:20

1 Answers1

2

I'm afraid the changes in the ownership and attributes of /usr/sbin/sshd suggests your system may have been hacked.

If so, that would probably explain the behavior of the CPUs too: your server might be running a 8-threaded coin miner, "hidden" by a rootkit of some sort.

Please see this Server Fault question for advice on dealing with a compromised server.

telcoM
  • 96,466
  • Sorry, but where is the sshd exectuable and its ownership and attributes even mentioned in the question? – Kusalananda Feb 09 '24 at 07:33
  • 2
    @Kusalananda They were mentioned in the non-answer posted by xspe that's been since hidden, and I tried to ask them to move the information into the question and delete the non-answer, but looks like only the deletion was done (new poster, unfamiliar with ways of SE). Since I can still see the hidden non-answer, I'll take the liberty of moving the info into the question. – telcoM Feb 09 '24 at 09:40
  • Perfect, thanks! – Kusalananda Feb 09 '24 at 09:50
  • Thanks telcoM. As i'm beginner with stackexchange i did mistakes. Hope next time i''ll be better.

    Anyway, i found a lot of hidden files under /tmp. I've been hacked ! .

     – xspe Feb 09 '24 at 10:54