Link to home
Start Free TrialLog in
Avatar of Ammu voilaah
Ammu voilaah

asked on

HIGH CPU Utilization suddenly on EC2 Instance

Unusual High CPU CLoud watch alarm from my AWS Ec2 Instance. The Ec2 Instance consists of Magento 2 website and Wordpress websites. The Magento 2 site is loading very slow accessing when the server is UP. But the server goes down for every 30 mins approx.  In the Apache Error log, it shows :

[Mon Mar 19 01:29:55.216115 2018] [lbmethod_heartbeat:notice] [pid 2571] AH02282: No slotmem from mod_heartmonitor
[Mon Mar 19 01:30:01.432626 2018] [mpm_prefork:notice] [pid 2571] AH00163: Apache/2.4.27 (Amazon) OpenSSL/1.0.2k-fips PHP/5.6.32 configured -- resuming normal operations
[Mon Mar 19 01:30:01.432665 2018] [core:notice] [pid 2571] AH00094: Command line: '/usr/sbin/httpd'
[Mon Mar 19 01:35:45.104754 2018] [mpm_prefork:notice] [pid 2571] AH00169: caught SIGTERM, shutting down
[Mon Mar 19 01:37:03.874296 2018] [suexec:notice] [pid 2570] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

This unusual activity started on March 12th before that the server went down only once in a month. Any Idea on what causing this issue? Is it apache MPM prefork version or Magento codes? I don't know how to troubleshoot this.
Avatar of Britt Thompson
Britt Thompson
Flag of United States of America image

MPM can cause high CPU utilization but I'd suspect one of your sites has been compromised - most likely a Wordpress site. I've typically been able to track down these issues by watching TCP connections in and out of the server and looking for suspicious traffic or check the access logs for each of the sites. If you can't find anything you can use find and/or grep to search all the site files for malicious code - I was typically able to find malicious code by using regex to search for base64 encoded strings (you can see how here
 https://mediatemple.net/community/products/dv/204405434/how-to-uncover-malicious-code-malware-files).

In the end, it's a huge help to implement a web application firewall (WAF) in front of your web server to help mitigate these kinds of attacks. If you have a firewall that can give you some insight into the traffic heading to and from your server,  you can check there for any indication of an attack as well.
Avatar of David Favor
To answer these questions requires access to many system logs.

And, if you're using Prefork + PHP, you're running an Apache Stack which is one of the highest resource usage possible configurations.

Before you go any further, change over to this approach.

1) Use mpm_event (lightest weight Apache MPM).

2) FPM PHP

3) HTTP2

4) SSL config which correctly implements Stapling + HSTS

Just doing these few items will dramatically reduce resource usage.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.