What is System Load?
System load average is a key metric for evaluating Linux server performance. It refers to the number of processes that are either:
Using the CPU
Waiting in the run queue
Or stuck in uninterruptible I/O wait states
Key Points
Load is not just CPU usage.
Measured over 1, 5, and 15 minute intervals.
Not normalized by CPU count.
On a 4-core system, a load of `4.00` means full utilization. A `1.00` load means the system is mostly idle.
Technical Reference
getloadavg() System Call
int getloadavg(double loadavg[], int nelem);
Returns load averages over 1, 5, and 15 minutes.
Source: man 3 getloadavg
uptime Output Example
uptime
# Output: 12:03:45 up 1 day, 3:25, 2 users, load average: 1.03, 0.89, 0.75
Basic Load & Process Investigation Tools
top
top -c
Press Shift + P → Sort by CPU
Press Shift + M → Sort by Memory
Top PHP Processes
top -b -n 1 | grep php | sort -k8,8
Memory & CPU Usage Summary
ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%mem | head
Active Connections by IP
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Logged-In Users and Load
w
❌ Killing Processes (Use With Caution)
Kill All Processes for a User
killall -9 -u nobody
Repeated Kill in Background
for (( i=1; i<=100; i++ )); do sleep 20 echo $i killall -9 -u nobody done
📌 Use this inside a `screen` session.
🐬 MySQL Load Investigation
### View Active Queries
“`sql
SHOW PROCESSLIST;
SHOW FULL PROCESSLIST\G
“`
### Kill Sleeping Queries
“`bash
for i in $(mysql -e “show processlist” | awk ‘/Sleep/ {print $1}’); do
mysql -e “KILL $i;”;
done
“`
—
## 🔎 Open Files by Process
“`bash
lsof -p <PID>
“`
Use to inspect what files or sockets a process is accessing.
—
## 🔐 Security Checks: Brute Force & Abuse
### XML-RPC POST Attacks
“`bash
grep -R “xmlrpc.php” /usr/local/apache/domlogs/* | grep “POST” | \
awk -F: ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n
“`
### XML-RPC Hits (Archived Logs)
“`bash
zgrep `date ‘+%d/%b/%Y’` /usr/local/apache/logs/domlogs/access123* | \
cut -d: -f2 | awk ‘{print $1}’ | sort | uniq -c | sort -nr | head -n25
“`
### wp-login.php Brute Force
“`bash
grep -r `date ‘+%d/%b/%Y’` /usr/local/apache/domlogs/ | grep “wp-login.php” | \
awk ‘{ print $1 }’ | cut -d : -f2 | sort | uniq -c | sort -n | tail
“`
—
## 🌐 Port-Based Connection Load
### Port 80 (HTTP)
“`bash
netstat -tn 2>/dev/null | grep ‘:80 ‘ | awk ‘{print $5}’ | \
sed -e ‘s/::ffff://’ | cut -f1 -d: | sort | uniq -c | sort -rn | head
“`
### Port 443 (HTTPS)
“`bash
netstat -tn 2>/dev/null | grep ‘:443 ‘ | awk ‘{print $5}’ | \
sed -e ‘s/::ffff://’ | cut -f1 -d: | sort | uniq -c | sort -rn | head
“`
—
## 🧾 Domain-Specific Log Investigation
### savingcenter.org (XML-RPC & POST)
“`bash
cat /usr/local/apache/logs/domlogs/savingcenter.org-ssl_log | grep xmlrpc
cat /usr/local/apache/logs/domlogs/savingcenter.org-ssl_log | grep POST
“`
### timelessluxury.com (wp-admin access)
“`bash
awk ‘{print $1, substr($4, 2), $7}’ /usr/local/apache/logs/domlogs/timelessluxury.com-ssl_log | grep ‘wp-admin’
“`
—
## 🧩 Best Practices
* Monitor during **peak hours**.
* Avoid blind `kill` or `pkill` commands.
* Combine load insights with Apache/MySQL logs.
* Use `screen` for long-running tasks.
* Keep backups before mass process terminations.