when I run the TOP command in terminal - I can see two of the vhosts using most cpu% like this PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 9176 web132 20 0 1063688 42228 4420 S 1198 0.3 18646:58 phpUMI6bM_w7usn so against percentage cpu it is 1198 and against command it is phpUMI6bM_w7usn so can a single process use so much of cpu. when I tried find the path of the process. I traced it down to vhost/tmp folder. there were so many temp files were there like Code: ca_dompdf_img_A8qF2q ca_dompdf_img_f9OQPx ca_dompdf_img_kjjs9o ca_dompdf_img_pS6ydz ca_dompdf_img_UyISzh gifdompdf_img_VEaW3M.png ca_dompdf_img_a92e9c ca_dompdf_img_F9YD2G ca_dompdf_img_KJnmUe ca_dompdf_img_psEeBe ca_dompdf_img_Uykzps gifdompdf_img_vrCWGz.png How can I resolve this issue? Update: I have completely disabled the client and web in ISPCONFIG, but I can still see the same process running under the same vhost. Also tried kill 9176 - but the process still running.
Deactivate the website by unticking the 'active' checkbox of the site, wait until changes are written to disk. When the load is still high afterwards, thne try to kill the processes with: kill -9 PROCESSID where PROCESSID is the ID of the process that yu want to kill. Beside that, you should check the crontab of the user: crontab -l web132 there might be a malware cronjob in the crontab and you should scan the websites and /tmp and /var/tmp for malware.
Thanks Till for the process suggested. I have found some malicious scripts in the website, removed all of them. Now the question is where from they are getting in. is it through some Joomla security hole? or they are getting the ftp passwords? as far as permissions are concerned I have set the 755 and 644 except for tmp and cache folder which is 770 and 775.
A joomla hole is more likely. But to be sure, change the FTP password of the site and update joomla and it's extensions.
I tried this command, but it results in error for example usage error: no arguments permitted after this option I also tried like Code: crontab -l -u web132 but it results in no crontab for web132 whereas I have myself set many cronjobs for the user132, which should have been listed.
No, they should not be listed with this command. Websites cronjobs that you added in ISPConfig are cron files in the /etc/cron.d/ folder.