Hello all, and thank you for a great system! I have somewhere a script that is eating the server's resources. I can see it when looking with programs as htop etc. But can't determine what is the problematic file. I can see the user but can't know what is the accurate file. How can I know it? Thank you very much, Tzahi, Israel.
Install htop which is a easier to understand version of top. Has helped me narrow down malicious scripts in the past. The bad script will be at the top of the list and using the most resources. Use pkill to delete the process and even put it into a cronjob to run every minute while your troubleshooting how the malicious script got installed. Usually a CMS like Wordpress with outdated plugins is what we find happens a lot. http://www.thegeekstuff.com/2009/12/4-ways-to-kill-a-process-kill-killall-pkill-xkill/
Thank both of you for the answers. Actually I have htop installed, but this is not my question. My question is related to IspConfig3 where htop doesn't show the full script's path. For example: How can I determine the specific php script that is running and is eating my CPU? @till Thank you very much, Tzahi
Try lsof to see what file handles that process has open. Look up the pid (not shown in htop above), eg. say 12345, and run 'lsof -p 12345'. That process is a fastcgi daemon though, which will open php files, execute them, and close them again, so that won't actually help unless you catch it at a time it has the file open. You can try strace to see what open() calls are being run, eg. 'strace -e open -f -p 12345'. Note in the above output you can tell it's the "web7" website, which is useful in itself. If the php scripts are being run/closed very quickly, try a simple 'tail -f /var/www/clients/client0/web7/log/access.log' to see what is being accessed (might keep an eye on the error.log too).
Thank you very much! The bottom of your message is known to me, and didn't help to find the accurate script. The top of your message is very helpful. Thanks alot!
I agree web7 is the key but I think you might have a better luck searching it inside the system and php log.