Problem :
I have been searching on this site and many others, but I have a process which has been running for 9,729 hours at 100% CPU at all times. According to htop, this is the command is being run by “root” on my Debian Jessie web server:
find ./ -name mysqli.so -print
I cannot figure out what is causing the command to run, and issuing a “kill -9” to its PID has no effect.
Everything else seems to run as expected–as evidenced by my not even realizing that this was an issue for so long. But, since it is busying an entire CPU core at all times, I’d like to resolve this.
The only thing I have not tried is rebooting the server–which is impractical because this is a production server.
Solution :
First, try send it SIGSTOP to actually stop its execution (this may be trapped and ignored by the command, but worth trying).
Next, this looks suspicious.
Since any process is free to change the text which is shown in the process list (some programs such as MTAs do this all the time for legitimate purposes), so it might be that your machine was p0wned and that proces is not really find but something else (such as a crypto miner).
There are several ways to try to inspect what it really is.
-
Try looking at what executable it is:
# stat /proc/$pid/exeShould show you what binary executable is running in that process.
-
Watching filesystem activity of that process might help:
# watch vdir /proc/$pid/fdIf it’s really appears as opening and closing lots of
files, it’s probably reallyfind. -
The process must not have any sockets open (viewable at the same
/proc/$pid/fdhierarchy. -
You may
straceit and see whether it indeed repeatedly
opens and closes directories — run# strace -p $pidand watch for
opendirandfdopendirsyscalls. -
Check out
debsums.