Malware php-fpm issue


One of the website is generating high CPU usage for php-fpm processes. It can be miner or malware.
Is there a way to track what file is being used in php-fpm process?


check the access log for the server in question

More likely a badly configured / written website. Whatever is being run in php has to start somewhere - I have VS that have it disabled you don’t need it unless a website you are hosting needs it. So the website is attracting hits and the code therein running php to excess. (WordPress by any chance?)

Of course all that also depends on the power of your box (No of cores, and the memory available)

Where is that helpful system information?


Thanks for the answers, I was looking for some tool to show live processing on the FS (exact path to file/files) I think access.log won’t show miner process.

But you still have not told the community that important “System information” how do we know which OS and all the other version details you are using. There is a reason this is requested when you make a post requesting help from the forum. Help us to help you.

Have you tries googling something like “ process list”?
Are you using Antivirus.
The access log is useful to give you some idea an IP that is attacking so you can block it.
About the only way you can be mined is for an IP to connect and get a response.
If someone has put a file on your server you have very poor security. It might be good to know what it is but it is likely to be too late. If it has root privileges consider the box useless even if you find it and where it came from.


I’m using Ubuntu Linux 20.04.6 csf+mod_security as per investigation no file has been placed on the server anyway would be great to have some tool to show what single php-fpm process is doing.

Have you run the “top” command as this shows the running processes on the server?

webmin can trace process

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.