High CPU load and multiple perl processes on Plesk server

Created:

2017-05-24 10:26:48 UTC

Modified:

2017-08-16 16:52:47 UTC

0

Was this article helpful?


Have more questions?

Submit a request

High CPU load and multiple perl processes on Plesk server

Applicable to:

  • Plesk for Linux

Symptoms

High CPU load on Plesk server:

[root@plesk ~]# grep -c ^processor /proc/cpuinfo
4

[root@plesk ~]# uptime
11:01:25 up 42 days, 19:30,  2 users,  load average: 22.05, 21.81, 20.46

Multiple Perl processes are shown by top utility:

24334 apache 20 0 49480 7304 1080 R 4.1 0.1 301:11.63 perl
22632 root 20 0 164m 25m 1568 S 2.8 0.3 0:00.25 lfd
23177 apache 20 0 41764 3760 872 S 1.9 0.0 260:17.78 perl
25028 apache 20 0 40808 3324 876 S 1.9 0.0 161:25.50 perl
13357 apache 20 0 41396 3068 720 R 1.6 0.0 386:17.11 perl
23047 apache 20 0 41952 3156 720 S 1.6 0.0 368:36.55 perl
23178 apache 20 0 41036 3888 872 S 1.6 0.0 256:31.54 perl

Some websites are using Apache module as a PHP handler and mod_perl is enabled in Tools & Settings > Web Server Settings.

Suspicious mail process is generating CPU load:

[root@plesk ~]# ps aux | sort -nrk 3,3 | head -n 5
.....
apache  24334  4.9  0.0  49480  7308 ?        Ss  May20 305:31 mail

Environment variables of this process are wiped out:

[root@plesk ~]# cat /proc/24334/environ

[root@plesk ~]#

The process is using Perl:

[root@plesk ~]# ls -l /proc/24334/exe
lrwxrwxrwx 1 apache apache 0 May 24 06:08 /proc/24334/exe -> /usr/bin/perl

The process opened multiple TCP connections to remote SMTP ports:

[root@plesk ~]# lsof -p 24334
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
perl 24334 apache cwd DIR 182,267585 4096 2 /
perl 24334 apache rtd DIR 182,267585 4096 2 /
perl 24334 apache txt REG 182,267585 7184 4216 /usr/bin/perl
perl 24334 apache mem REG 182,267585 21056 268663 /usr/lib64/perl5/auto/File/Glob/Glob.so
perl 24334 apache mem REG 182,267585 120008 264410 /usr/lib64/perl5/auto/POSIX/POSIX.so
perl 24334 apache mem REG 182,267585 17976 262168 /usr/lib64/perl5/auto/Fcntl/Fcntl.so
perl 24334 apache mem REG 182,267585 25624 262388 /usr/lib64/perl5/auto/Socket/Socket.so
perl 24334 apache mem REG 182,267585 19336 262189 /usr/lib64/perl5/auto/IO/IO.so
perl 24334 apache mem REG 182,267585 10312 395936 /lib64/libfreebl3.so
perl 24334 apache mem REG 182,267585 1924768 396904 /lib64/libc-2.12.so
perl 24334 apache mem REG 182,267585 143280 396925 /lib64/libpthread-2.12.so
perl 24334 apache mem REG 182,267585 15056 399454 /lib64/libutil-2.12.so
perl 24334 apache mem REG 182,267585 40872 399439 /lib64/libcrypt-2.12.so
perl 24334 apache mem REG 182,267585 596864 399456 /lib64/libm-2.12.so
perl 24334 apache mem REG 182,267585 20024 399440 /lib64/libdl-2.12.so
perl 24334 apache mem REG 182,267585 113904 399459 /lib64/libnsl-2.12.so
perl 24334 apache mem REG 182,267585 111440 399475 /lib64/libresolv-2.12.so
perl 24334 apache mem REG 182,267585 1485896 12026 /usr/lib64/perl5/CORE/libperl.so
perl 24334 apache mem REG 182,267585 159232 395925 /lib64/ld-2.12.so
perl 24334 apache 0r CHR 1,3 0t0 198331093 /dev/null
perl 24334 apache 1w CHR 1,3 0t0 198331093 /dev/null
perl 24334 apache 2w CHR 1,3 0t0 198331093 /dev/null
perl 24334 apache 4w FIFO 0,8 0t0 1961936537 pipe
perl 24334 apache 5r FIFO 0,8 0t0 1961936538 pipe
perl 24334 apache 12u IPv4 2150129997 0t0 TCP plesk.example.com:60165->mail31.messagelabs.com:smtp (SYN_SENT)
perl 24334 apache 17u IPv4 2150123792 0t0 TCP plesk.example.com:37144->mx1.externalexample.com:smtp (ESTABLISHED)
perl 24334 apache 21u IPv4 2150127685 0t0 TCP plesk.example.com:40765->mx.externalexample2.com:smtp (ESTABLISHED)
perl 24334 apache 24u IPv4 2150129902 0t0 TCP plesk.example.com:51393->mail.externalexample3.com:smtp (SYN_SENT)
perl 24334 apache 29u IPv4 2150127848 0t0 TCP plesk.example.com:33438->mail78.externalexample4.com:smtp (SYN_SENT)
perl 24334 apache 40u IPv4 2150126581 0t0 TCP plesk.example.com:44837->mail.externalexample5.com:smtp (SYN_SENT)
perl 24334 apache 46u IPv4 2150127834 0t0 UDP *:45793
perl 24334 apache 49u IPv4 2150129754 0t0 TCP plesk.example.com:47921->wb25.externalexample6.com:smtp (ESTABLISHED)
perl 24334 apache 53u IPv4 2150128140 0t0 UDP *:51628
perl 24334 apache 58u IPv4 2150128981 0t0 UDP *:50153
perl 24334 apache 60u IPv4 2150127458 0t0 TCP

Cause

The server is compromised, probably, via code of one of the websites that are handled by Apache module PHP handler.

Resolution

1. Switch the websites to "FastCGI application" or "PHP-FPM served by Apache" in Plesk > Domains > example.com > PHP Settings > run PHP as

2. Disable mod_perl in Tools & Settings > Web Server Settings.

Additional Information

Why mod_perl and mod_python Apache modules are not installed by default in Plesk 12.5

Have more questions? Submit a request
Please sign in to leave a comment.