Portal Home > Knowledgebase > Articles Database > tons of php proceses !!
tons of php proceses !!
| Posted by shahzaibcw, 11-25-2013, 06:39 AM |
| There are tons of php processes running on server (centos-6)and there are no visitors on the site. We're using WHM with suphp 5.4. Please check the attached files of php processes using top command.
There's high load average on the server due to this issue and site is not resolving any more.
Help will be highly appreciated.
Regards.
Shahzaib
Attached Thumbnails
|
| Posted by my247webhosting, 11-25-2013, 10:59 AM |
| Seems to be ddos on port 80 which is banging port 80 in server
Check IP which is connecting using netstat
|
| Posted by Genius Guard, 11-25-2013, 11:03 AM |
| Do you have any video streaming on that file ?
|
| Posted by shahzaibcw, 11-25-2013, 11:06 AM |
| Thanks for replying. We're using nginx as reverse proxy for apache. Following are the ips/connections on the server :
1 168.62.166.131
1 168.62.166.146
1 168.62.166.180
1 168.62.171.229
1 168.62.178.74
1 168.62.179.89
1 168.62.180.201
1 168.62.194.73
1 168.62.38.120
1 168.63.100.23
1 168.63.203.41
1 168.63.208.189
1 168.63.239.32
1 168.63.239.9
1 168.63.241.120
1 168.63.252.49
1 168.63.29.198
1 168.63.69.254
1 168.63.80.155
1 168.63.99.251
1 173.161.144.177
1 173.191.250.39
1 173.251.110.188
1 174.140.169.165
1 174.34.150.146
1 180.76.5.175
1 180.76.5.85
1 192.110.164.112
1 192.157.244.214
1 192.95.47.180
1 198.144.186.151
1 198.203.30.11
1 198.35.45.35
1 198.35.47.133
1 198.7.58.81
1 198.7.58.83
1 198.98.125.214
1 199.255.213.77
1 204.93.198.62
1 209.148.81.253
1 216.185.35.14
1 216.185.35.212
1 23.226.138.201
1 23.30.185.237
1 23.96.19.11
1 23.96.4.91
1 24.220.240.103
1 24.43.146.210
1 24.43.155.196
1 24.43.206.186
1 32.64.114.139
1 37.113.85.177
1 39.42.101.246
1 64.120.19.241
1 64.13.169.136
1 65.49.68.161
1 65.98.52.101
1 66.249.73.76
1 68.168.194.182
1 69.28.52.94
1 69.9.202.111
1 69.9.202.43
1 72.234.204.34
1 74.115.1.248
1 74.62.220.99
1 75.127.10.240
1 76.164.223.72
1 8.19.33.129
1 91.218.121.115
2 120.33.217.148
2 137.116.198.197
2 137.135.248.218
2 138.91.187.98
2 138.91.48.38
2 138.91.56.47
2 162.217.134.155
2 168.63.134.168
2 168.63.141.235
2 168.63.208.81
2 168.63.74.91
2 173.208.110.206
2 174.34.140.242
2 178.137.161.95
2 192.3.173.114
2 192.3.8.140
2 198.35.47.231
2 205.234.134.215
2 207.228.238.249
2 208.70.16.10
2 209.217.241.118
2 209.240.98.6
2 216.16.169.229
2 23.245.25.30
2 23.96.4.233
2 23.96.6.186
2 64.17.254.67
2 64.30.134.35
2 69.162.150.211
2 69.162.150.221
2 74.91.23.196
2 97.68.30.179
4 117.26.248.63
4 137.116.172.244
4 198.23.226.58
4 50.93.146.132
4 66.51.187.248
4 69.162.166.80
8 72.46.161.178
13
39 0.0.0.0
757 206.190.134.12 (Server's ip which generated dummy connections between apache and nginx)
Regards.
Shahzaib
|
| Posted by Genius Guard, 11-25-2013, 11:11 AM |
| This is not more to be a ddos. do you have large website with more visitors ?
|
| Posted by shahzaibcw, 11-25-2013, 11:13 AM |
| genious , the file watch_videos.php has a player which stream videos. We server the website for video streaming site just like youtube on this server.
|
| Posted by shahzaibcw, 11-25-2013, 11:16 AM |
| There are not much visitors on the site. The total numbers of connections on port 80 is :
# netstat -anp |grep :80 |wc -l
145
|
| Posted by Genius Guard, 11-25-2013, 11:33 AM |
| it is regular if it is streaming server, if your server load is high or have issue in connection speed, you should search for stronger server which support streaming.
|
| Posted by shahzaibcw, 11-25-2013, 11:37 AM |
| genious, you're wrong, there's no connection on the server yet and no one streaming any video. There's some kind of infinite loop executing on the server. Whenever i rename watch_video.php file load-avg gets back to normal.
Regards.
Shahzaib
|
| Posted by reto, 11-25-2013, 01:41 PM |
| Looks like this may be a script error. Have you checked?
|
| Posted by ClaudiuPopescu, 11-25-2013, 04:16 PM |
| If you are running nginx, why not dropping apache in favor of php-fpm?
It will handle php workloads a lot better.
You could try: https://support.sysally.net/projects.../Documentation
That might be an attack, it is not uncommon to see this kind of ddos.
Just analyze the logs, traffic (try a dump)..
|
| Posted by shahzaibcw, 11-26-2013, 02:42 AM |
| claudie thanks for guide but i believe the issue is different, why should i replace it with php-fpm when there's some ddos or infinite loop destroying the whole server? There are no users on site and server is under tons of php processes. Can you let me know about the specific logs should i check to track down the bottleneck ?
|
| Posted by ClaudiuPopescu, 11-26-2013, 03:01 AM |
| 1. http://php-fpm.org/ - read the description + documentation in order to understand this. Plus that it was accepted into php core http://php-fpm.org/download/.
2. http://forums.cpanel.net/f185/suphp-eol-348871.html - besides this thread, there is another reason why you should not be using suphp, it is considered to not be very fast compared to other php handlers.
As for logs, you can check apache and nginx.
Btw, do you have multiple accounts on your cpanel server? Or is this your only account. You might be better off without cpanel if no other accounts are on that server.
You really need to learn to read the logs, use tcpdump, configure limits in iptables (CSF maybe) and so on.
|
| Posted by shahzaibcw, 11-26-2013, 08:02 AM |
| claudie the server contains multiple accounts and i can't go without cpanel with current situation. Is php-fpm compatible with cpanel or apache ? Or i'll have to replace apache with nginx in order to install php-fpm ?
Another question : Is there any server side tool to analyze the current number of users active on the site(Not connections but users) ?
>>You really need to learn to read the logs, use tcpdump
I really don't know yet on how to analyze traffic via tcpdump tool to track down DDos attack. Can you provide some good guide to learn output of tcpdump tool ?
|
| Posted by LDHosting, 11-26-2013, 08:15 AM |
| Is there anything showing in any of the access logs?
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error_log
/usr/local/apache/domlogs/domainofwebsite.com
|
| Posted by shahzaibcw, 11-28-2013, 09:22 AM |
| This is one of my friend website and he said that the traffic is high on the site and looks like server is unable to handle that traffic. I changed the php handler to php-dso and issue still not resolved with load-avg 400+ of the server. What if i switch php to php-fpm ?
Please suggest me something. Its really annoying that i am unable to track the issue
|
| Posted by Hosting4Real, 11-29-2013, 04:48 AM |
| If the renaming of the file cause the load to be normal. Then rename the file, look at the logs, fix the issue, and put the file back.
If a site is killing the server, and you can't investigate the problem, then you should kill the site until things have been investigated. Don't kill other clients, because one client is taking all the resources.
|
Add to Favourites 
Print this Article
Also Read
nginx config (Views: 467)
