“find” command has been looking for mysqli.so for 9.729 hours

Posted on

Problem :

I have been searching on this site and many others, but I have a process which has been running for 9,729 hours at 100% CPU at all times. According to htop, this is the command is being run by “root” on my Debian Jessie web server:

find ./ -name mysqli.so -print

I cannot figure out what is causing the command to run, and issuing a “kill -9” to its PID has no effect.

Everything else seems to run as expected–as evidenced by my not even realizing that this was an issue for so long. But, since it is busying an entire CPU core at all times, I’d like to resolve this.

The only thing I have not tried is rebooting the server–which is impractical because this is a production server.

Solution :

First, try send it SIGSTOP to actually stop its execution (this may be trapped and ignored by the command, but worth trying).

Next, this looks suspicious.
Since any process is free to change the text which is shown in the process list (some programs such as MTAs do this all the time for legitimate purposes), so it might be that your machine was p0wned and that proces is not really find but something else (such as a crypto miner).

There are several ways to try to inspect what it really is.

  1. Try looking at what executable it is:

     # stat /proc/$pid/exe

    Should show you what binary executable is running in that process.

  2. Watching filesystem activity of that process might help:

    # watch vdir /proc/$pid/fd

    If it’s really appears as opening and closing lots of
    files, it’s probably really find.

  3. The process must not have any sockets open (viewable at the same /proc/$pid/fd hierarchy.

  4. You may strace it and see whether it indeed repeatedly
    opens and closes directories — run

    # strace -p $pid

    and watch for opendir and fdopendir syscalls.

  5. Check out debsums.

Leave a Reply

Your email address will not be published. Required fields are marked *