1

I am not a server guy and currently maintaining a small server for my own needs (Development and testing).

I got a notification that my Server CPU usuage is around 99% from last 3+ hours.I know that this is quite personal site to me and I have never shared URL with anyone so just to check I installed htop and tried to find out root cause of this usuage and this is what I got from htop

enter image description here

I understand whois is for DNS lookup ,but I have not done any changes to server from last few days so how come this service just started eating up so much CPU.

Can any one help me to understand this issue?

MadHatter
  • 78,442
  • 20
  • 178
  • 229
Umesh Awasthi
  • 81
  • 1
  • 8
  • Can you please share the version of whois package you are using by running this command rpm -qf `which whois`,also the strace of the given pid strace -o /tmp/output -f -r -s4096 -p `pid of whois` – Prashant Lakhera Sep 22 '14 at 09:48
  • Note those commands should be `rpm -qf \`which whois\`` and `strace -o /tmp/output -f -r -s4096 -p \`pid of whois\`` but you're not likely to be able to fit the output of the second command into your question. – Ladadadada Sep 25 '14 at 15:59
  • A correction: `whois` is **not** used for DNS lookups – Håkan Lindqvist Jun 21 '15 at 10:28

1 Answers1

7

This is caused by a bug in jwhois, the whois client used in RHEL/CentOS.

It has been fixed in Fedora and RHEL 7, but apparently not in RHEL 6. I occasionally see it happen on my own systems where fail2ban is repeatedly calling whois. (I turned this off because I really don't care about the whois for banned IPs.)

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • thanks for pointing about this, how can I also turn this search things off – Umesh Awasthi Sep 22 '14 at 13:08
  • I am assuming that Michael meant disabling the senmail-whois feature in Fail2Ban. In your Fail2Ban jail.conf you will see a function related to 'sendmail-whois'. Comment this out and restart Fail2Ban. `# sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]` – QuentinMoss Mar 23 '15 at 19:27