lfd on /domain.name/: Excessive resource usage: www-data (617 (Parent PID:413))

[mateusz]

Hi,
After latest updates I‘m getting messages from server ([email protected]) every hour 2 messages:

Title: lfd on /domain.name/: Excessive resource usage: www-data (617 (Parent PID:413))
Message:
Time: Mon Nov 2 22:08:03 2020 +0100
Account: www-data
Resource: Process Time
Exceeded: 180300 > 1800 (seconds)
Executable: /usr/sbin/php-fpm7.4
Command Line: php-fpm: pool www
PID: 617 (Parent PID:413)
Killed: No


Thanks for your help in advance,
m

 

[factor]

That is a PT message from CSF. It means the Firewall thinks PHP-FPM is using too much time. Also looks like it from a non DA server do you have Directadmin installed on this server?

 

[mateusz]

Thanks, yes I have DirectAdmin (1.61.5).
Any suggestions what to do in this situation?

Thanks,
Mat

 

[factor]

Well it could be a great many things or it could be nothing. You need to research why php is using so much process time.

 

[scriptkitty]

Do you have any entries in your csf process ignore file for fpm?

grep -i fpm /etc/csf/csf.pignore

 

[mateusz]

Thanks, in SSH I’m getting:
pexe:/usr/local/php../sbin/php-fpm..

But file has this:
exe:/bin/dbus-daemon
exe:/sbin/ntpd
exe:/usr/bin/dbus-daemon
exe:/usr/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
exe:/usr/bin/lsmd
exe:/usr/lib/polkit-1/polkitd
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/stats
exe:/usr/libexec/gam_server
exe:/usr/libexec/hald-addon-acpi
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/local/directadmin/dataskq
exe:/usr/local/directadmin/directadmin
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/mysql-5.1.54-linux-x86_64/bin/mysqld
exe:/usr/sbin/chronyd
exe:/usr/sbin/exim
exe:/usr/sbin/exim
exe:/usr/sbin/hald
exe:/usr/sbin/httpd
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/sbin/named
exe:/usr/sbin/nscd
exe:/usr/sbin/ntpd
exe:/usr/sbin/proftpd
exe:/usr/sbin/sshd
exe:/usr/sbin/apache2
exe:/usr/sbin/mysqld
exe:/lib/systemd/systemd-timesyncd
exe:/usr/local/bin/freshclam

# Some additional entries that you might want to ignore on DirectAdmin
# servers.
# However, be aware of the security implications under "Process Tracking" in
# the csf readme.txt when using these:
#
#cmd:/bin/sh /usr/bin/mysqld_safe
#cmd:/bin/sh /usr/bin/mysqld_safe --basedir=/usr
user:mysql
user:diradmin
exe:/usr/libexec/dovecot/lmtp
exe:/usr/libexec/dovecot/managesieve-login
exe:/usr/local/bin/clamd
exe:/usr/share/cagefs-skeleton/usr/selector/lsphp
exe:/usr/selector/lsphp
exe:/usr/local/bin/lsphp
pexe:/usr/local/php../bin/php_uploadscan.sh
pexe:/opt/alt/php../usr/bin/php-cgi
pexe:/opt/alt/php../usr/bin/php
pexe:/opt/alt/php../usr/bin/lsphp
pexe:/usr/local/php../sbin/php-fpm..
pexe:/usr/local/php../bin/php-cgi..
pexe:/usr/local/php../bin/php..
pexe:/usr/local/php../bin/lsphp..
exe:/usr/sbin/pure-ftpd
exe:/usr/local/bin/pureftpd_uploadscan.sh
exe:/usr/selector/php
exe:/usr/selector/php-cli
exe:/usr/sbin/nginx
exe:/usr/sbin/proxyexec
pexe:/usr/local/safe-bin/fcgid...sh
exe:/usr/sbin/rsyslogd
exe:/usr/sbin/atd
exe:/usr/bin/wget
exe:/bin/gzip
exe:/bin/tar
exe:/usr/bin/rspamd

# MANAGED BY INSTALLATRON
pcmd:/usr/local/bin/php -n -c /usr/local/installatron/etc/php.ini -f (?:/usr/local/installatron/lib/|/var/installatron/cache/|/var/installatron/tasks/)[^/]+
# MANAGED BY INSTALLATRON END
exe:/opt/netdata/usr/libexec/netdata/plugins.d/go.d.plugin
exe:/opt/netdata/bin/srv/netdata
exe:/opt/netdata/usr/libexec/netdata/plugins.d/apps.plugin
exe:/opt/netdata/bin/bash
user:netdata

 

[dmtinc]

Something isnt normal...


The path used by DirectAdmin for php already is ignored in your csf config:


pexe:/usr/local/php../sbin/php-fpm..
pexe:/usr/local/php../bin/php-cgi..
pexe:/usr/local/php../bin/php..
pexe:/usr/local/php../bin/lsphp..


For example the path for php 7.4 is:


/usr/local/php74/sbin/php-fpm74

Can you exec this:

ls -al /usr/sbin/php*
ls -al /usr/local/bin/php*

Other thing is the account "www-data", php-fpm pool is executed under the user uid, for example:


webapps 23751 0.2 0.1 317264 22656 ? S Nov05 0:35 php-fpm: pool webapps


So where came from the user www-data or the www pool? is a www-data user in /usr/local/directadmin/data/users/ ?

Have you installed php and php-fpm using yum or apt?

 

[factor]

Something isnt normal...

Correct
which is why I said.

from a non DA server

It was a tip to the OP he has done something wrong.

Maybe he either installed DA over a non-clean server

or

He installed PHP through the OS.