Which user file is causing 100% CPU usage?

[peps03]

I've been trying to figure out which user file/script is causing 100% CPU usage. I know the user obviously, but i can't find a way to determine which file is causing it.

Server specs:

Apache 2.4.25 Running
DirectAdmin 1.51.3 Running
Exim 4.89 Running
MariaDB 10.1.21 Running
Named 9.9.4 *** Stopped ***
sshd Running
dovecot 2.2.28 (bed8434) Running
pure-ftpd 1.0.43 Running
Php 5.6.30
PHP 7.0 7.0.16

Server Version: Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips
Server Built: Mar 9 2017 23:59:03
Server loaded APR Version: 1.5.2
Compiled with APR Version: 1.5.2
Server loaded APU Version: 1.5.4
Compiled with APU Version: 1.5.4
Timeouts: connection: 60 keep-alive: 2
MPM Name: worker
MPM Information: Max Daemons: 5 Threaded: yes Forked: yes
Server Architecture: 64-bit
Server Root: /etc/httpd
Config File: /etc/httpd/conf/httpd.conf
Server Built With:
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="/var/logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Load: http://prntscr.com/evf6g9

I've checked /server-status and /server-info, the logs, top via ssh, the user error logs. But nothing points me to the file. Any ideas how to find it?

Thanks!

 

[peps03]

I saw it is possible to also setup a PHP FPM status page: https://easyengine.io/tutorials/php/fpm-status-page/

But, i can't get this one working: /status was not found on this server.

Any ideas?

 

[24x7server]

Check access_logs for the user to find out exact script/file causing 100% CPU usage.

 

[peps03]

Thanks for your reply!

The general apache access log mostly shows: http://prntscr.com/evoucc

And the nginx log is almost empty: http://prntscr.com/evov00

And the user log doesn't show CPU usage correct? http://prntscr.com/evovqc

Where should i look?

 

[Richard G]

Check /var/log/messages if you see anything there. Also look in the users domain logs, it might be an xmlrpc.php attack.
If you Wordpress installations containing those, protect them or just simply delete them. Most people don't even use the option it's provided for.

 

[24x7server]

OR you can temporarily change the permission of xmlrpc.php , wp-cron.php from 644 to 000 if its WordPress installation and see how it goes.

 

[zEitEr]

The general apache access log mostly shows: http://prntscr.com/evoucc

Check server-status more attentively instead and/or users' logs instead of general apache access log, which most likely shows visits from a monitoring service.

And the nginx log is almost empty: http://prntscr.com/evov00

That's not an user's log, what you expect to see there?

And the user log doesn't show CPU usage correct? http://prntscr.com/evovqc

The screen does not show CPU usage at all. Directadmin does not show CPU usage of users, unless you use CloudLinux.

Where should i look?

Check your server for malware, grep POST requests from nginx/apache logs. Check system logs. Check MySQL requests with mysqladmin. IO top and stats.

There is no page in Directadmin where you could find a clear line saying user bob is under attacks of bots, script.php is used for attacks... you should gather information from different sources and analyse it.