Author Topic: cwpsvc high cpu usage. lfd sending email every 10 mins  (Read 10437 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
cwpsvc high cpu usage. lfd sending email every 10 mins
« on: September 21, 2017, 10:08:27 AM »
I get an e-mail every 10 minutes from the server. what's the problem?
cwp restart and server reboot doesnt work..

lfd on xxxxxx: Excessive resource usage: cwpsvc (8078 (Parent PID:780))

Account:      cwpsvc
Resource:     Process Time
Exceeded:     3647 > 3600 (seconds)
Executable:   /usr/local/cwp/php71/sbin/php-fpm
Command Line: php-fpm: pool cwpsvc
PID:          8078 (Parent PID:780)
Killed:       No



strace -p 15097 -s 80 -o debug.txt output :

Code: [Select]
accept(0, {sa_family=AF_LOCAL, NULL}, [2]) = 3
poll([{fd=3, events=POLLIN}], 1, 5000)  = 1 ([{fd=3, revents=POLLIN}])
times({tms_utime=4129, tms_stime=229, tms_cutime=0, tms_cstime=0}) = 429814412
read(3, "\1\1\0\1\0\10\0\0", 8)         = 8
read(3, "\0\1\0\0\0\0\0\0", 8)          = 8
read(3, "\1\4\0\1\2\275\3\0", 8)        = 8
read(3, "\17,SCRIPT_FILENAME/usr/local/cwpsrv/var/services/pma/index.php\v\16SCRIPT_NAME/pma/i"..., 704) = 704
read(3, "\1\4\0\1\0\0\0\0", 8)          = 8
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={60, 0}}, NULL) = 0
rt_sigaction(SIGPROF, {0x7c0f00, [PROF], SA_RESTORER|SA_RESTART, 0x7f510d45d250}, {0x7c0f00, [PROF], SA_RESTORER|SA_RESTART, 0x7f510d45d250}, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
open("/usr/local/cwpsrv/var/services/pma/index.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=20807, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=20807, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=20807, ...}) = 0
mmap(NULL, 20807, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbac000
getcwd("/usr/local/cwpsrv/var/services/pma", 4095) = 35
chdir("/usr/local/cwpsrv/var/services/pma") = 0
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={90, 0}}, NULL) = 0
munmap(0x7f510fbac000, 20807)           = 0
close(4)                                = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/common.inc.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=35171, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=35171, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=35171, ...}) = 0
mmap(NULL, 35171, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fba9000
munmap(0x7f510fba9000, 35171)           = 0
close(4)                                = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/vendor_config.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=2330, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=2330, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=2330, ...}) = 0
mmap(NULL, 2330, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fc25000
munmap(0x7f510fc25000, 2330)            = 0
close(4)                                = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/php-gettext/gettext.inc", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=17451, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=17451, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=17451, ...}) = 0
mmap(NULL, 17451, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbad000
munmap(0x7f510fbad000, 17451)           = 0
close(4)                                = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
lstat("/usr/local/cwpsrv/var/services/pma/./streams.php", 0x7ffc71ea3a70) = -1 ENOENT (No such file or directory)
lstat("/usr/local/cwp/php71/lib/php/streams.php", 0x7ffc71ea3a70) = -1 ENOENT (No such file or directory)
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
lstat("/usr/local/cwpsrv/var/services/pma/./streams.php", 0x7ffc71ea3890) = -1 ENOENT (No such file or directory)
lstat("/usr/local/cwp/php71/lib/php/streams.php", 0x7ffc71ea3890) = -1 ENOENT (No such file or directory)
open("/usr/local/cwpsrv/var/services/pma/libraries/php-gettext/streams.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=3797, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=3797, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=3797, ...}) = 0
mmap(NULL, 3797, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fc25000
munmap(0x7f510fc25000, 3797)            = 0
close(4)                                = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
lstat("/usr/local/cwpsrv/var/services/pma/./gettext.php", 0x7ffc71ea3a70) = -1 ENOENT (No such file or directory)
lstat("/usr/local/cwp/php71/lib/php/gettext.php", 0x7ffc71ea3a70) = -1 ENOENT (No such file or directory)
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
lstat("/usr/local/cwpsrv/var/services/pma/./gettext.php", 0x7ffc71ea3890) = -1 ENOENT (No such file or directory)
lstat("/usr/local/cwp/php71/lib/php/gettext.php", 0x7ffc71ea3890) = -1 ENOENT (No such file or directory)
open("/usr/local/cwpsrv/var/services/pma/libraries/php-gettext/gettext.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=12648, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=12648, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=12648, ...}) = 0
mmap(NULL, 12648, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbae000
munmap(0x7f510fbae000, 12648)           = 0
close(4)                                = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/autoloader.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=450, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=450, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=450, ...}) = 0
mmap(NULL, 450, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fc25000
munmap(0x7f510fc25000, 450)             = 0
close(4)                                = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/Psr4Autoloader.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=4966, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=4966, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=4966, ...}) = 0
mmap(NULL, 4966, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbb0000
munmap(0x7f510fbb0000, 4966)            = 0
close(4)                                = 0
access("./libraries/ErrorHandler.php", F_OK) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/ErrorHandler.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=16875, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=16875, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=16875, ...}) = 0
mmap(NULL, 16875, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbad000
munmap(0x7f510fbad000, 16875)           = 0
close(4)                                = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/core.lib.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=30656, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=30656, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=30656, ...}) = 0
mmap(NULL, 30656, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbaa000
munmap(0x7f510fbaa000, 30656)           = 0
close(4)                                = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/string.lib.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=800, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=800, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=800, ...}) = 0
mmap(NULL, 800, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fc25000
munmap(0x7f510fc25000, 800)             = 0
close(4)                                = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/stringMb.lib.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=1906, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=1906, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=1906, ...}) = 0
mmap(NULL, 1906, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fc25000
munmap(0x7f510fc25000, 1906)            = 0
...........................
« Last Edit: September 21, 2017, 10:43:43 AM by apsuva »

Offline
*
Re: cwpsvc high cpu usage. lfd sending email every 10 mins
« Reply #1 on: September 21, 2017, 11:53:07 AM »
that is all ok, add it to csf process ignore list
/etc/csf/csf.pignore

as
exe:/usr/local/cwp/php71/sbin/php-fpm
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: cwpsvc high cpu usage. lfd sending email every 10 mins
« Reply #2 on: September 21, 2017, 12:18:26 PM »
Are you sure it's normal? We have install cwp 1 years ago. First time getting this errors.
We have another cwp server. Its not showing errors like that.

Please explain what cwpsvc is doing? top -u cwpsvc command always showing 2 process. 1 hour later its ending and starting again. another server showing nothing.

Offline
*
Re: cwpsvc high cpu usage. lfd sending email every 10 mins
« Reply #3 on: September 21, 2017, 12:24:08 PM »
yes 100%

cwpsvc is a process that is used for cwp services like for example roundcube and phpmyadmin, if you have high activity there then you should check if maybe you have some brute force attack there.

you can check cwp logs for that
http://wiki.centos-webpanel.com/service-log-paths

VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: cwpsvc high cpu usage. lfd sending email every 10 mins
« Reply #4 on: September 21, 2017, 12:57:16 PM »
You are right. I found him. Thank you for help!

Sep 21 15:50:08 ext kernel: Firewall: *UDP_IN Blocked* IN=enp4s0 OUT= MAC=38:d5:47:c7:db:0f:2c:21:31:28:a2:c9:08:00 SRC=218.11.2.168 DST=xx.xx.xx.xx LEN=118 TOS=0x00 PREC=0x00 TTL=251 ID=52048 PROTO=UDP SPT=3000 DPT=1900 LEN=98
Sep 21 15:50:11 ext kernel: Firewall: *UDP_IN Blocked* IN=enp4s0 OUT= MAC=38:d5:47:c7:db:0f:2c:21:31:28:a2:c9:08:00 SRC=218.11.2.168 DST=xx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=251 ID=32335 PROTO=UDP SPT=3000 DPT=123 LEN=16
Sep 21 15:50:14 ext kernel: Firewall: *UDP_IN Blocked* IN=enp4s0 OUT= MAC=38:d5:47:c7:db:0f:2c:21:31:28:a2:c9:08:00 SRC=218.11.2.168 DST=xx.xx.xx.xx LEN=118 TOS=0x00 PREC=0x00 TTL=251 ID=19685 PROTO=UDP SPT=3000 DPT=1900 LEN=98
Sep 21 15:50:15 ext kernel: Firewall: *UDP_IN Blocked* IN=enp4s0 OUT= MAC=38:d5:47:c7:db:0f:2c:21:31:28:a2:c9:08:00 SRC=218.11.2.168 DST=xx.xx.xx.xx LEN=118 TOS=0x00 PREC=0x00 TTL=251 ID=52453 PROTO=UDP SPT=3000 DPT=1900 LEN=98
Sep 21 15:50:17 ext kernel: Firewall: *UDP_IN Blocked* IN=enp4s0 OUT= MAC=38:d5:47:c7:db:0f:2c:21:31:28:a2:c9:08:00 SRC=218.11.2.168 DST=xx.xx.xx.xx LEN=29 TOS=0x00 PREC=0x00 TTL=251 ID=58445 PROTO=UDP SPT=3000 DPT=1434 LEN=9

Offline
*
Re: cwpsvc high cpu usage. lfd sending email every 10 mins
« Reply #5 on: September 21, 2017, 01:18:24 PM »
note that this is UDP traffic coming to custom ports and that isn't something that would be show cwpsvc as a process since cwpsvc is using cwp ports and TCP traffic
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: cwpsvc high cpu usage. lfd sending email every 10 mins
« Reply #6 on: September 21, 2017, 01:35:41 PM »
I found another attacker. Its brute force. I need to change the phpmyadmin directory. cwpsvc normal now.

79.137.32.215 - - [21/Sep/2017:16:08:53 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=hna1950&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 345
79.137.32.215 - - [21/Sep/2017:16:08:54 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=hued&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 342
79.137.32.215 - - [21/Sep/2017:16:08:54 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=hnyc&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 342
79.137.32.215 - - [21/Sep/2017:16:08:55 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=ho&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 340
79.137.32.215 - - [21/Sep/2017:16:08:55 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=hijinks&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 345
79.137.32.215 - - [21/Sep/2017:16:08:55 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=ho-chi&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 344
79.137.32.215 - - [21/Sep/2017:16:08:55 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=hueron&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 344
79.137.32.215 - - [21/Sep/2017:16:08:56 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=ho-ming&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 345

Offline
*
Re: cwpsvc high cpu usage. lfd sending email every 10 mins
« Reply #7 on: September 22, 2017, 11:37:54 AM »
great, you can simply block that ip with csf, example:
Code: [Select]
csf -d <IP> "pma brute force attack"
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.