I have been searching on this site and many others, but I have a process which has been running for 9,729 hours at 100% CPU at all times. According to htop, this is the command is being run by “root” on my Debian Jessie web server:
find ./ -name mysqli.so -print
I cannot figure out what is causing the command to run, and issuing a “kill -9” to its PID has no effect.
Everything else seems to run as expected–as evidenced by my not even realizing that this was an issue for so long. But, since it is busying an entire CPU core at all times, I’d like to resolve this.
The only thing I have not tried is rebooting the server–which is impractical because this is a production server.
First, try send it
SIGSTOP to actually stop its execution (this may be trapped and ignored by the command, but worth trying).
Next, this looks suspicious.
Since any process is free to change the text which is shown in the process list (some programs such as MTAs do this all the time for legitimate purposes), so it might be that your machine was p0wned and that proces is not really
find but something else (such as a crypto miner).
There are several ways to try to inspect what it really is.
Try looking at what executable it is:
# stat /proc/$pid/exe
Should show you what binary executable is running in that process.
Watching filesystem activity of that process might help:
# watch vdir /proc/$pid/fd
If it’s really appears as opening and closing lots of
files, it’s probably really
The process must not have any sockets open (viewable at the same
straceit and see whether it indeed repeatedly
opens and closes directories — run
# strace -p $pid
and watch for