Control Web Panel
WebPanel => CentOS 7 Problems => Topic started by: michelgomide on October 01, 2024, 10:34:33 PM
-
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
8580 entrelac 20 0 656996 69096 15876 R 100.0 0.2 0:47.43 php-fpm
7370 entrelac 20 0 657008 70996 16640 R 96.6 0.2 1:49.46 php-fpm
8113 oitavob 20 0 677780 91368 16432 R 65.5 0.3 1:12.82 php-fpm
6932 multiges 20 0 548436 70708 14548 R 62.1 0.2 1:34.02 php-fpm
8969 pousadal 20 0 536020 56268 13740 R 62.1 0.2 0:06.55 php-fpm
Guys, everything was fine, two days ago it started to say 100 CPU, what could it be? What will be the problem.
Can you help me please
They are light sites, they don't have more than 500 visits per month
-
Is it always the entrelac user? Try monitoring in real time with htop or with Netdata.
-
Check access_logs:
/usr/local/apache/domlogs/
of the websites associated with the user "entrelac". It will help you to understand if the site is under attack or there are some "heavy" requests or the site is bombarded by some bot and then act accordingly.
Additionally. it will be good idea to check "server-status":
https://forum.centos-webpanel.com/i-can-build-it/apache-status-accesses/msg48966/?topicseen#msg48966
-
Who wants to bet it's some type of crypto script they are running?
-
Do you see a lot of that? I've never encountered it, personally. Usually just heavy scripts (poorly coded WP themes/extensions, Magento installations) or users with overly zealous cron scripts that consume a lot of CPU when they run -- and they are running them needlessly often for their traffic levels.
-
Sadly, yes.
They usually bring down the whole server.
-
Perchaps perfctl?
https://arstechnica.com/security/2024/10/persistent-stealthy-linux-malware-has-infected-thousands-since-2021/ (https://arstechnica.com/security/2024/10/persistent-stealthy-linux-malware-has-infected-thousands-since-2021/)