Good day, Ref: ISPC_APP_VERSION', '3.2.11p2 on Ubuntu 20.04.6 LTS I haven't changed anything on the server and suddenly my 8 core CPU are at 100%. Just trying to figure out if it's an attack or a PHP-56 issue. It has been 2 days. I restarted the server with no success. I do have some acriviry in the access.log But I have many cgi processes running in htop and here is a part of the error log: [Sun Apr 12 20:07:50.793989 2026] [fcgid:warn] [pid 1777] (32)Broken pipe: [client 14.191.65.37:11065] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function, referer: https://xsite.ca/ [Sun Apr 12 20:07:51.134320 2026] [fcgid:warn] [pid 1704] [client 190.89.29.249:40250] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web1/.php-fcgi-starter, referer: https://xsite.ca/ [Sun Apr 12 20:07:51.577306 2026] [fcgid:warn] [pid 1773] [client 190.133.174.166:38636] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web1/.php-fcgi-starter, referer: https://xsite.ca/ [Sun Apr 12 20:07:55.609148 2026] [fcgid:warn] [pid 933] [client 14.191.82.77:32496] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web1/.php-fcgi-starter, referer: https://xsite.ca/ [Sun Apr 12 20:07:56.785256 2026] [fcgid:warn] [pid 1760] [client 123.24.114.71:56335] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web1/.php-fcgi-starter, referer: https://xsite.ca/ Non stop in a tail -f command on error.log / Maybe part of the attack? Thanks in advance, JP
THis is on of many lines in htop: PID MEMORY USER GROUP COMMAND ARGS 1701 167996 web1 client1 php-cgi5.6 /usr/bin/php-cgi5.6 -d open_basedir=/var/www/clients/client1/web1/web:/var/www/clients/client1/web1/private:/var/www/clients/client1/web1/tmp:/var/www/xsite.ca/web:/srv/www/xsite.ca/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom -d upload_tmp_dir=/var/www/clients/client1/web1/tmp -d session.save_path=/var/www/clients/client1/web1/tmp -d sendmail_path=/usr/sbin/sendmail -t -i -f [email protected]
Probably a DOS attack. Check the access.log file, if you have lots of incoming requests in that site, then it's a DOS or similar attack. If you see lots of POST requests to a login form, then someone might be trying a lot of password combinations to get into the CMS or software of that site.
I dug deaper and foud that the customer had installed a Wordpress to test a few months back. Yes, unzipping a WP (on a non WP) production site with php-56 to test. The reason I'm keeping 5.6 (in it's own vps) is because his custom site works and he doesn't know how to upgrade... Solution : I made him clean up everything and now it's OK. I usually have fail2ban for SSH. Never really configured it for web... I'll look into it. Does make sense for password protected sites. Thank once again for the fast responses. JP
