• Hi

    i am running 2.3-RELEASE (amd64)
    built on Mon Apr 11 18:10:34 CDT 2016
    FreeBSD 10.3-RELEASE

    but when i do a TOP i see this and maybe a lot more php's

    18292 root        3  40  20  1312M  707M sbwait  1  35:04  2.69% snort
    57638 root        1  52    0  262M 35748K accept  0  0:00  0.39% php-fpm
    18661 root        2  40  20  857M  456M nanslp  3 325:32  0.00% snort
    18859 root        1  20    0 16676K  2744K bpf    1  13:47  0.00% filterlog
    50237 root        1  20    0  224M 34120K nanslp  2  12:27  0.00% php
    7977 root        1  20    0  224M 34136K nanslp  1  12:26  0.00% php
    49823 root        1  20    0  224M 34136K nanslp  2  12:25  0.00% php
    31236 root        1  20    0  224M 34108K nanslp  0  12:19  0.00% php
    24484 root        1  20    0  224M 34080K nanslp  1  12:16  0.00% php
    14219 root        1  20    0  224M 34092K nanslp  1  12:16  0.00% php
    31160 root        1  20    0  224M 34128K nanslp  0  12:15  0.00% php
    66238 root        1  20    0  224M 34104K nanslp  1  12:15  0.00% php
    75871 root        1  20    0  224M 34104K nanslp  3  12:14  0.00% php
    13952 root        1  20    0  224M 34136K nanslp  3  12:14  0.00% php
    83219 root        1  20    0  224M 34152K nanslp  2  12:14  0.00% php
    6850 root        1  20    0  224M 34148K nanslp  3  12:13  0.00% php
    93653 root        1  20    0  224M 34076K nanslp  3  12:13  0.00% php
    80756 root        1  20    0  224M 34148K nanslp  3  12:13  0.00% php
    9774 root        1  20    0  224M 34116K nanslp  0  12:12  0.00% php
    20323 root        1  20    0  224M 34152K nanslp  0  12:08  0.00% php
    27378 root        1  20    0  224M 34132K nanslp  0  12:07  0.00% php
    35122 root        1  20    0  224M 34136K nanslp  1  12:07  0.00% php
    94768 root        1  20    0  224M 34152K nanslp  0  12:06  0.00% php
    94540 root        1  20    0  224M 34160K nanslp  3  12:06  0.00% php
    96485 root        1  20    0  224M 34152K nanslp  0  12:05  0.00% php
    44822 root        1  20    0  224M 34156K nanslp  2  12:04  0.00% php
    3795 root        1  20    0  224M 34152K nanslp  0  12:04  0.00% php
    49130 root        1  20    0  224M 34144K nanslp  0  12:03  0.00% php
    34714 root        1  20    0  224M 34148K nanslp  0  12:02  0.00% php
    43064 root        1  20    0  224M 34156K nanslp  3  11:32  0.00% php
    17358 root        1  20    0  224M 34124K nanslp  0  11:32  0.00% php
    53647 root        1  20    0  224M 34152K nanslp  0  11:31  0.00% php
    53053 root        1  20    0  224M 34144K nanslp  0  11:31  0.00% php
    38852 root        1  20    0  224M 34136K nanslp  1  11:30  0.00% php
    36567 root        1  20    0  224M 34144K nanslp  1  11:30  0.00% php
    10193 root        1  20    0  224M 34128K nanslp  0  11:29  0.00% php
    43540 root        1  20    0 14516K  2316K select  0  11:01  0.00% syslogd
    57781 root        1  20    0  224M 34080K nanslp  2  10:10  0.00% php
    36751 root        1  20    0  224M 34088K nanslp  0  10:09  0.00% php
    88497 root        1  20    0  224M 34092K nanslp  2  10:09  0.00% php
    84759 root        1  20    0  224M 34084K nanslp  0  10:07  0.00% php
    57495 root        1  20    0  224M 34084K nanslp  3  10:07  0.00% php
    88021 root        1  20    0  224M 34072K nanslp  3  10:05  0.00% php
      194 root        1  20    0  224M 34068K nanslp  0  10:04  0.00% php
    43344 root        1  20    0  224M 34076K nanslp  0  10:02  0.00% php
    17042 root        1  20    0  224M 34084K nanslp  0  10:01  0.00% php
    19150 root        1  20    0  224M 34080K nanslp  3  9:59  0.00% php
    32829 root        1  20    0  224M 34080K nanslp  2  9:59  0.00% php
    41287 root        1  20    0  224M 34088K nanslp  1  9:59  0.00% php
    38403 root        1  20    0  224M 34048K nanslp  0  9:27  0.00% php
    38608 root        1  20    0  224M 34024K nanslp  3  9:26  0.00% php
    51207 root        1  20    0  224M 34016K nanslp  0  9:26  0.00% php
    81867 root        1  20    0  224M 34016K nanslp  3  9:25  0.00% php
    61068 root        1  20    0  224M 34048K nanslp  1  9:25  0.00% php
    4907 root        1  20    0  224M 34004K nanslp  2  9:24  0.00% php

    due to that my load is also much higher then normal. i never seen this before. started to see it after the upgrades.

  • LAYER 8 Global Moderator

    Well that must be from some package your running.. Maybe snort that I see your running..


  • @johnpoz:

    Well that must be from some package your running.. Maybe snort that I see your running..

    Yes i have snort running as wel as pfblocker.

    i disabled both now. snort still seems to be in the service list as running while its all stopped.
    WAN DISABLED AC-BNFA ENABLED DISABLED

    but i still see all the php.

    I did a restart of the router and they are all gone now. Lets see if it gets back or not.

    I did update pfblockerng like 2 or 3 times since 2.3 might be something got stuck or so.

  • LAYER 8 Global Moderator

    well did you reboot??  What I can tell you is I don't see any php running on my pfsense 2.3



  • @johnpoz:

    well did you reboot??  What I can tell you is I don't see any php running on my pfsense 2.3

    Yes i just did a reboot. Might be a update of 1 of the plugins that caused this because i never had it before 2.3 like this.


    this is a image as you see it increases the processes starting about
    16-04-2016

  • LAYER 8 Global Moderator

    update 1?  You mean 2.3_1 that was a ntpd update… Yes I am running it..  You have some package doing it plain and simple..


  • @johnpoz:

    update 1?  You mean 2.3_1 that was a ntpd update… Yes I am running it..  You have some package doing it plain and simple..

    i guessed as much yes
    the only packages i have are

    Cron
    openvpn-client-export
    pfBlockerNG.
    Service_Watchdog
    snort security

    the one that got updated a few times is PFblocker.

  • LAYER 8 Global Moderator

    Well I can tell you the packages that I have that match yours are not doing it ;)

    I have the following packages..


  • Moderator

    Run the following commands:

    For Snort, you should see one process per defined Snort Interface(s):

    ps auxww | grep snort
    

    For pfBlockerNG, There should only be two processes (only if DNSBL is enabled):

    ps auxww | grep pfb
    root    39809   0.0  0.2  40364   6680  -  S    29Apr16     1:15.90 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
    root    40773   0.0  0.4 251152  12880  -  S    29Apr16     3:30.45 /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc dnsbl
    

    Need to do a process of elimination… Disable package services. Reboot... check if you still have the issue.... then add one package .... rinse and repeat ...


  • @BBcan177:

    Run the following commands:

    For Snort, you should see one process per defined Snort Interface(s):

    ps auxww | grep snort
    

    For pfBlockerNG, There should only be two processes (only if DNSBL is enabled):

    ps auxww | grep pfb
    root    39809   0.0  0.2  40364   6680  -  S    29Apr16     1:15.90 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
    root    40773   0.0  0.4 251152  12880  -  S    29Apr16     3:30.45 /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc dnsbl
    

    Need to do a process of elimination… Disable package services. Reboot... check if you still have the issue.... then add one package .... rinse and repeat ...

    i see there are 2 php processes again.

    disabling and rebooting each times costs way to much time that my network/server would be offline.

    as i said i never had the problem before 2.3_1 and i also never changed packaged still the same setting/packages.

    Problem is it takes a while before it shows it self again.

    and i rather dont run it without those 2 packages.

    ps auxww | grep snort
    root    99802  19.4  5.6  877940 460720  -  Ss    3:27PM   27:43.56 /usr/local/bin/snort -R 46905 -D -l /var/log/snort/snort_igb146905 --pid-path /var/run --nolock-pidfile -G 46905 -c /usr/local/etc/snort/snort_46905_        igb1/snort.conf -i igb1
    root    63597   1.2  8.1 1326116 670292  -  Is    3:33PM   12:11.00 /usr/local/bin/snort -R 19237 -D -l /var/log/snort/snort_igb019237 --pid-path /var/run --nolock-pidfile -G 19237 -c /usr/local/etc/snort/snort_19237_        igb0/snort.conf -i igb0
    root    42264   0.0  0.0   18740   2244  0  S+   10:46PM    0:00.00 grep snort
    
    
    root    28722   0.0  0.4  229204  33084  -  S     9:47PM    0:03.15 /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc dnsbl
    root    28771   0.0  0.4  229204  33104  -  S     9:47PM    0:03.16 /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc dnsbl
    root    91567   0.0  0.1   44340   6220  -  S     3:25PM    0:00.88 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
    root    78542   0.0  0.0   18740   2240  0  S+   10:47PM    0:00.00 grep pfb
    

    When i update pfblocker and use reload all.
    i see a PHP process pop up and once the reload is done its gone again.

    is it possible the php's one are stray ones that didn't want to close/end correctly?