Oh. Oops. I have a hard time with screenshots, text is easier for me to read.
I see no reason for fastrpc to be running at all!
@Alaaeddine.benabid click on the PID of one of those fastrpc.cgi
processes and show us the full command running. We need to figure out what the heck they’re doing.
Also, in a terminal or ssh session run the following (you must replace <pid>
with the actual PID of the process you want to look at…we need to see one of the fastrpc processses):
strace -p <pid>
This may be very chatty (probably will be since it is chewing up huge amounts of CPU). We don’t need to see hundreds of lines, just a couple dozen…just to get the gist of what’s happening.
Also check the Webmin logs in /var/webmin. miniserv.error
may have clues, webmin.log
is the actions log (but API calls may not have action logging), and miniserv.log
is the access log and it’s probably the most useful. So show us a few lines of miniserv.log
…we only want to see some requests to fastrpc.cgi
.
It’s very alarming that fastrpc is doing something when you don’t have any remote systems for it to be talking to. That means something is communicating with the API and making it very busy (possibly an attacker). If you have a weak password or one you’ve reused or one you’ve shared with untrusted people, you need to change it.