How to determine what php script is currently running on background?

Discussion in 'General' started by sza, Feb 27, 2017.

  1. sza

    sza Member

    Hello all, and thank you for a great system!
    I have somewhere a script that is eating the server's resources.
    I can see it when looking with programs as htop etc.
    But can't determine what is the problematic file.
    I can see the user but can't know what is the accurate file.
    How can I know it?
    Thank you very much,
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Have you check your php or system log? Or you can try this.
  3. webguyz

    webguyz Active Member HowtoForge Supporter

    Install htop which is a easier to understand version of top. Has helped me narrow down malicious scripts in the past. The bad script will be at the top of the list and using the most resources.

    Use pkill to delete the process and even put it into a cronjob to run every minute while your troubleshooting how the malicious script got installed. Usually a CMS like Wordpress with outdated plugins is what we find happens a lot.
    ahrasis likes this.
  4. sza

    sza Member

    Thank both of you for the answers.
    Actually I have htop installed, but this is not my question.
    My question is related to IspConfig3 where htop doesn't show the full script's path.
    For example:
    How can I determine the specific php script that is running and is eating my CPU?
    Thank you very much,
    Last edited: Mar 10, 2017
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Try lsof to see what file handles that process has open. Look up the pid (not shown in htop above), eg. say 12345, and run 'lsof -p 12345'. That process is a fastcgi daemon though, which will open php files, execute them, and close them again, so that won't actually help unless you catch it at a time it has the file open.

    You can try strace to see what open() calls are being run, eg. 'strace -e open -f -p 12345'.

    Note in the above output you can tell it's the "web7" website, which is useful in itself. If the php scripts are being run/closed very quickly, try a simple 'tail -f /var/www/clients/client0/web7/log/access.log' to see what is being accessed (might keep an eye on the error.log too).
    sza likes this.
  6. sza

    sza Member

    Thank you very much!
    The bottom of your message is known to me, and didn't help to find the accurate script. The top of your message is very helpful.

    Thanks alot!
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I agree web7 is the key but I think you might have a better luck searching it inside the system and php log.
    sza likes this.

Share This Page