Your server is under Heavy load in ISPCONFIG Monitor

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Sep 24, 2017.

  1. pawan

    pawan Member HowtoForge Supporter

    when I run the TOP command in terminal - I can see two of the vhosts using most cpu%
    like this
    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    9176 web132 20 0 1063688 42228 4420 S 1198 0.3 18646:58 phpUMI6bM_w7usn

    so against percentage cpu it is 1198 and against command it is phpUMI6bM_w7usn
    so can a single process use so much of cpu.
    when I tried find the path of the process. I traced it down to vhost/tmp folder.
    there were so many temp files were there like
    Code:
    ca_dompdf_img_A8qF2q  ca_dompdf_img_f9OQPx  ca_dompdf_img_kjjs9o  ca_dompdf_img_pS6ydz  ca_dompdf_img_UyISzh  gifdompdf_img_VEaW3M.png
    ca_dompdf_img_a92e9c  ca_dompdf_img_F9YD2G  ca_dompdf_img_KJnmUe  ca_dompdf_img_psEeBe  ca_dompdf_img_Uykzps  gifdompdf_img_vrCWGz.png
    How can I resolve this issue?

    Update:
    • I have completely disabled the client and web in ISPCONFIG, but I can still see the same process running under the same vhost.
    • Also tried kill 9176 - but the process still running.
     
    Last edited: Sep 24, 2017
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Deactivate the website by unticking the 'active' checkbox of the site, wait until changes are written to disk. When the load is still high afterwards, thne try to kill the processes with:

    kill -9 PROCESSID

    where PROCESSID is the ID of the process that yu want to kill.

    Beside that, you should check the crontab of the user:

    crontab -l web132

    there might be a malware cronjob in the crontab and you should scan the websites and /tmp and /var/tmp for malware.
     
  3. pawan

    pawan Member HowtoForge Supporter

    Thanks Till for the process suggested.
    I have found some malicious scripts in the website, removed all of them.
    Now the question is where from they are getting in.
    is it through some Joomla security hole?
    or they are getting the ftp passwords?
    as far as permissions are concerned I have set the 755 and 644
    except for tmp and cache folder which is 770 and 775.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    A joomla hole is more likely. But to be sure, change the FTP password of the site and update joomla and it's extensions.
     
  5. pawan

    pawan Member HowtoForge Supporter

    I tried this command, but it results in error for example
    usage error: no arguments permitted after this option
    I also tried like
    Code:
    crontab -l -u web132
    but it results in
    no crontab for web132
    whereas I have myself set many cronjobs for the user132, which should have been listed.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    No, they should not be listed with this command. Websites cronjobs that you added in ISPConfig are cron files in the /etc/cron.d/ folder.
     

Share This Page