Join Log in
Score:1
Pc Monk avatar Server

executed php-fpm files get CPU to 100% usage

tm flag
Pc Monk

Im running a e-commerce/LMS wordpress site with a 2 Core cpu ,4G Ram and 4Gswap ,100G disk space server with CentOS web admin panel.

today after getting serveral http 502 report from clients suddeny I noticed there was 14 php file executed 2 on index.php (nginx) and 12 on my wordfence wflogs php files (php-fpm) using this command watch -n1 "lsof | grep '\.php'".

After restarting both nginx and php-fpm servers the executed php files would disappear but after new connection to the site the matter will happen within 2 minutes again.

Investigating more into this I had custom php-fpm74 php.ini and nginx.conf which I removed both and reinstalled.problem stil there

Have to mention everytime after restart the first couple of times everytime I refresh I could see all the php files been executed then removed but after some refreshes I would have a list of open php files which where the followings

nginx      1893          nobody   38r      REG              253,2        405       7357 /home/azc/public_html/index.php
nginx      1893          nobody   42r      REG              253,2       5543      93120 /home/azc/public_html/wp-cron.php
nginx      1894          nobody   38r      REG              253,2        405       7357 /home/azc/public_html/index.php
php-fpm    2784         azc    6u      REG              253,2         51      98078 /home/azc/public_html/wp-content/wflogs/ips.php
php-fpm    2784         azc    7u      REG              253,2        560      58362 /home/azc/public_html/wp-content/wflogs/config.php
php-fpm    2784         azc    8u      REG              253,2      40083      99496 /home/azc/public_html/wp-content/wflogs/attack-data.php
php-fpm    2784         azc    9u      REG              253,2      16502      29005 /home/azc/public_html/wp-content/wflogs/config-synced.php
php-fpm    2784         azc   10u      REG              253,2       5656     100459 /home/azc/public_html/wp-content/wflogs/config-livewaf.php
php-fpm    2784         azc   11u      REG              253,2    1402945      99209 /home/azc/public_html/wp-content/wflogs/config-transient.php

if I reconnect myself with ctrl+shift+R to mysite multiple times there will be a lot of them that dont get closed then server starts to return 502.I have installed Aapache , PHP-CGI and I couldnt run the site unfortunately so I decided to focus on this matter .

Services version:

  • Centos 7
  • Nginx 1.22.1
  • PHP-FPM 7.4.32
  • Wordpress 6.1.1
  • Wordfence plugin 7.8

site azc-fpm config

[azc]
listen = /opt/alt/php-fpm74/usr/var/sockets/azc.sock
listen.allowed_clients = 127.0.0.1

;listen.owner = "azc"
listen.group = "nobody"
listen.mode = 0660
user = "azc"
group = "azc"

request_slowlog_timeout = 15s
slowlog = /opt/alt/php-fpm74/usr/var/log/php-fpm-slowlog-azc.log

pm = ondemand
pm.max_children = 4
pm.max_requests = 4000
pm.process_idle_timeout = 15s

;listen.backlog = -1
;request_terminate_timeout = 0s
rlimit_files = 131072
rlimit_core = unlimited
catch_workers_output = yes

env[HOSTNAME] = $HOSTNAME
env[TMP] = /home/azc/tmp
env[TMPDIR] = /home/azc/tmp
env[TEMP] = /home/azc/tmp
env[PATH] = /usr/local/bin:/usr/bin:/bin

php-fpm.conf itself (since Im running centos web panel its cwpsvc.conf)

[cwpsvc]
listen = /opt/alt/php-fpm74/usr/var/sockets/cwpsvc.sock
listen.owner = cwpsvc
listen.group = cwpsvc
listen.mode = 0640
user = cwpsvc
group = cwpsvc
;request_slowlog_timeout = 5s
;slowlog = /opt/alt/php-fpm74/usr/var/log/php-fpm-slowlog-cwpsvc.log
listen.allowed_clients = 127.0.0.1
pm = ondemand
pm.max_children = 25
pm.process_idle_timeout = 15s
;listen.backlog = -1
request_terminate_timeout = 0s
rlimit_files = 131073
rlimit_core = unlimited
catch_workers_output = yes
env[HOSTNAME] = $HOSTNAME
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Website Nginx configuration

erver {
        listen x.x.x.x:443 ssl ;
        server_name azc.com  www.azc.com;
        root /home/azc/public_html;
        index index.php index.html index.htm;
        access_log /usr/local/apache/domlogs/azc.com.bytes bytes;
        access_log /usr/local/apache/domlogs/azc.com.log combined;
        error_log /usr/local/apache/domlogs/azc.com.error.log error;

        ssl_certificate      /etc/pki/tls/certs/azc.com.bundle;
        ssl_certificate_key  /etc/pki/tls/private/azc.com.key;
        ssl_protocols TLSv1.2;
        ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eN$
        ssl_prefer_server_ciphers   on;

        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 60m;

        location / {
                try_files $uri $uri/ /index.php?$args;
                add_header Strict-Transport-Security "max-age=31536000";
                add_header X-XSS-Protection "1; mode=block" always;
                add_header X-Content-Type-Options "nosniff" always;

                location ~.*\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
                        expires max;
                }

                location ~ [^/]\.php(/|$) {
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        if (!-f $document_root$fastcgi_script_name) {
                                return  404;
                        }

                        fastcgi_pass    unix:/opt/alt/php-fpm74/usr/var/sockets/azc.sock;
                        fastcgi_index   index.php;
                        include         /etc/nginx/fastcgi_params;
                }
        location ~* "/\.(htaccess|htpasswd)$" {deny all;return 404;}

        disable_symlinks if_not_owner from=/home/azc/public_html;

        location /.well-known/acme-challenge {
                default_type "text/plain";
                alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
        }

        location /.well-known/pki-validation {
                default_type "text/plain";
                alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
        }
}

PHP-FPM slowLog for the site

[29-Nov-2022 09:12:23]  [pool azc] pid 20575
script_filename = /home/azc/public_html/wp-admin/admin-ajax.php
[0x00007f856ca13df0] curl_exec() /home/azc/public_html/wp-includes/class-requests.php:381
[0x00007f856ca13870] request() /home/azc/public_html/wp-includes/class-wp-http.php:395
[0x00007f856ca136e0] request() /home/azc/public_html/wp-includes/class-wp-http.php:633
[0x00007f856ca13640] get() /home/azc/public_html/wp-includes/http.php:162
[0x00007f856ca135b0] wp_remote_get() /home/azc/public_html/wp-content/plugins/wp-rocket/inc/Engine/Preload/AbstractProcess.php:202
[0x00007f856ca13510] preload() /home/azc/public_html/wp-content/plugins/wp-rocket/inc/Engine/Preload/AbstractProcess.php:159
[0x00007f856ca13480] maybe_preload() /home/azc/public_html/wp-content/plugins/wp-rocket/inc/Engine/Preload/PartialProcess.php:41
[0x00007f856ca13420] task() /home/azc/public_html/wp-content/plugins/wp-rocket/inc/classes/dependencies/wp-media/background-processing/wp-background-process.php:315
[0x00007f856ca13370] handle() /home/azc/public_html/wp-content/plugins/wp-rocket/inc/classes/dependencies/wp-media/background-processing/wp-background-process.php:$
[0x00007f856ca13300] maybe_handle() /home/azc/public_html/wp-includes/class-wp-hook.php:308
[0x00007f856ca13220] apply_filters() /home/azc/public_html/wp-includes/class-wp-hook.php:332
[0x00007f856ca131b0] do_action() /home/azc/public_html/wp-includes/plugin.php:517
[0x00007f856ca130d0] do_action() /home/azc/public_html/wp-admin/admin-ajax.php:203

Thanks for any help

462
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.