Lot of PHP processes

musicwizard

Hi

i am running 2.3-RELEASE (amd64)
built on Mon Apr 11 18:10:34 CDT 2016
FreeBSD 10.3-RELEASE

but when i do a TOP i see this and maybe a lot more php's

18292 root 3 40 20 1312M 707M sbwait 1 35:04 2.69% snort
57638 root 1 52 0 262M 35748K accept 0 0:00 0.39% php-fpm
18661 root 2 40 20 857M 456M nanslp 3 325:32 0.00% snort
18859 root 1 20 0 16676K 2744K bpf 1 13:47 0.00% filterlog
50237 root 1 20 0 224M 34120K nanslp 2 12:27 0.00% php
7977 root 1 20 0 224M 34136K nanslp 1 12:26 0.00% php
49823 root 1 20 0 224M 34136K nanslp 2 12:25 0.00% php
31236 root 1 20 0 224M 34108K nanslp 0 12:19 0.00% php
24484 root 1 20 0 224M 34080K nanslp 1 12:16 0.00% php
14219 root 1 20 0 224M 34092K nanslp 1 12:16 0.00% php
31160 root 1 20 0 224M 34128K nanslp 0 12:15 0.00% php
66238 root 1 20 0 224M 34104K nanslp 1 12:15 0.00% php
75871 root 1 20 0 224M 34104K nanslp 3 12:14 0.00% php
13952 root 1 20 0 224M 34136K nanslp 3 12:14 0.00% php
83219 root 1 20 0 224M 34152K nanslp 2 12:14 0.00% php
6850 root 1 20 0 224M 34148K nanslp 3 12:13 0.00% php
93653 root 1 20 0 224M 34076K nanslp 3 12:13 0.00% php
80756 root 1 20 0 224M 34148K nanslp 3 12:13 0.00% php
9774 root 1 20 0 224M 34116K nanslp 0 12:12 0.00% php
20323 root 1 20 0 224M 34152K nanslp 0 12:08 0.00% php
27378 root 1 20 0 224M 34132K nanslp 0 12:07 0.00% php
35122 root 1 20 0 224M 34136K nanslp 1 12:07 0.00% php
94768 root 1 20 0 224M 34152K nanslp 0 12:06 0.00% php
94540 root 1 20 0 224M 34160K nanslp 3 12:06 0.00% php
96485 root 1 20 0 224M 34152K nanslp 0 12:05 0.00% php
44822 root 1 20 0 224M 34156K nanslp 2 12:04 0.00% php
3795 root 1 20 0 224M 34152K nanslp 0 12:04 0.00% php
49130 root 1 20 0 224M 34144K nanslp 0 12:03 0.00% php
34714 root 1 20 0 224M 34148K nanslp 0 12:02 0.00% php
43064 root 1 20 0 224M 34156K nanslp 3 11:32 0.00% php
17358 root 1 20 0 224M 34124K nanslp 0 11:32 0.00% php
53647 root 1 20 0 224M 34152K nanslp 0 11:31 0.00% php
53053 root 1 20 0 224M 34144K nanslp 0 11:31 0.00% php
38852 root 1 20 0 224M 34136K nanslp 1 11:30 0.00% php
36567 root 1 20 0 224M 34144K nanslp 1 11:30 0.00% php
10193 root 1 20 0 224M 34128K nanslp 0 11:29 0.00% php
43540 root 1 20 0 14516K 2316K select 0 11:01 0.00% syslogd
57781 root 1 20 0 224M 34080K nanslp 2 10:10 0.00% php
36751 root 1 20 0 224M 34088K nanslp 0 10:09 0.00% php
88497 root 1 20 0 224M 34092K nanslp 2 10:09 0.00% php
84759 root 1 20 0 224M 34084K nanslp 0 10:07 0.00% php
57495 root 1 20 0 224M 34084K nanslp 3 10:07 0.00% php
88021 root 1 20 0 224M 34072K nanslp 3 10:05 0.00% php
194 root 1 20 0 224M 34068K nanslp 0 10:04 0.00% php
43344 root 1 20 0 224M 34076K nanslp 0 10:02 0.00% php
17042 root 1 20 0 224M 34084K nanslp 0 10:01 0.00% php
19150 root 1 20 0 224M 34080K nanslp 3 9:59 0.00% php
32829 root 1 20 0 224M 34080K nanslp 2 9:59 0.00% php
41287 root 1 20 0 224M 34088K nanslp 1 9:59 0.00% php
38403 root 1 20 0 224M 34048K nanslp 0 9:27 0.00% php
38608 root 1 20 0 224M 34024K nanslp 3 9:26 0.00% php
51207 root 1 20 0 224M 34016K nanslp 0 9:26 0.00% php
81867 root 1 20 0 224M 34016K nanslp 3 9:25 0.00% php
61068 root 1 20 0 224M 34048K nanslp 1 9:25 0.00% php
4907 root 1 20 0 224M 34004K nanslp 2 9:24 0.00% php

due to that my load is also much higher then normal. i never seen this before. started to see it after the upgrades.

johnpoz

Well that must be from some package your running.. Maybe snort that I see your running..

musicwizard

@johnpoz:

Well that must be from some package your running.. Maybe snort that I see your running..

Yes i have snort running as wel as pfblocker.

i disabled both now. snort still seems to be in the service list as running while its all stopped.
WAN DISABLED AC-BNFA ENABLED DISABLED

but i still see all the php.

I did a restart of the router and they are all gone now. Lets see if it gets back or not.

I did update pfblockerng like 2 or 3 times since 2.3 might be something got stuck or so.

johnpoz

well did you reboot?? What I can tell you is I don't see any php running on my pfsense 2.3

toppsense.png_thumb

musicwizard

@johnpoz:

well did you reboot?? What I can tell you is I don't see any php running on my pfsense 2.3

Yes i just did a reboot. Might be a update of 1 of the plugins that caused this because i never had it before 2.3 like this.

this is a image as you see it increases the processes starting about
16-04-2016

johnpoz

update 1? You mean 2.3_1 that was a ntpd update… Yes I am running it.. You have some package doing it plain and simple..

musicwizard

@johnpoz:

update 1? You mean 2.3_1 that was a ntpd update… Yes I am running it.. You have some package doing it plain and simple..

i guessed as much yes
the only packages i have are

Cron
openvpn-client-export
pfBlockerNG.
Service_Watchdog
snort security

the one that got updated a few times is PFblocker.

johnpoz

Well I can tell you the packages that I have that match yours are not doing it ;)

I have the following packages..

packages.png_thumb

BBcan177

Run the following commands:

For Snort, you should see one process per defined Snort Interface(s):

ps auxww | grep snort

For pfBlockerNG, There should only be two processes (only if DNSBL is enabled):

ps auxww | grep pfb
root    39809   0.0  0.2  40364   6680  -  S    29Apr16     1:15.90 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
root    40773   0.0  0.4 251152  12880  -  S    29Apr16     3:30.45 /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc dnsbl

Need to do a process of elimination… Disable package services. Reboot... check if you still have the issue.... then add one package .... rinse and repeat ...

musicwizard

@BBcan177:

Run the following commands:

For Snort, you should see one process per defined Snort Interface(s):
ps auxww | grep snort
For pfBlockerNG, There should only be two processes (only if DNSBL is enabled):
ps auxww | grep pfb
root    39809   0.0  0.2  40364   6680  -  S    29Apr16     1:15.90 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
root    40773   0.0  0.4 251152  12880  -  S    29Apr16     3:30.45 /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc dnsbl
Need to do a process of elimination… Disable package services. Reboot... check if you still have the issue.... then add one package .... rinse and repeat ...

i see there are 2 php processes again.

disabling and rebooting each times costs way to much time that my network/server would be offline.

as i said i never had the problem before 2.3_1 and i also never changed packaged still the same setting/packages.

Problem is it takes a while before it shows it self again.

and i rather dont run it without those 2 packages.

ps auxww | grep snort
root    99802  19.4  5.6  877940 460720  -  Ss    3:27PM   27:43.56 /usr/local/bin/snort -R 46905 -D -l /var/log/snort/snort_igb146905 --pid-path /var/run --nolock-pidfile -G 46905 -c /usr/local/etc/snort/snort_46905_        igb1/snort.conf -i igb1
root    63597   1.2  8.1 1326116 670292  -  Is    3:33PM   12:11.00 /usr/local/bin/snort -R 19237 -D -l /var/log/snort/snort_igb019237 --pid-path /var/run --nolock-pidfile -G 19237 -c /usr/local/etc/snort/snort_19237_        igb0/snort.conf -i igb0
root    42264   0.0  0.0   18740   2244  0  S+   10:46PM    0:00.00 grep snort

root    28722   0.0  0.4  229204  33084  -  S     9:47PM    0:03.15 /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc dnsbl
root    28771   0.0  0.4  229204  33104  -  S     9:47PM    0:03.16 /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc dnsbl
root    91567   0.0  0.1   44340   6220  -  S     3:25PM    0:00.88 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
root    78542   0.0  0.0   18740   2240  0  S+   10:47PM    0:00.00 grep pfb

When i update pfblocker and use reload all.
i see a PHP process pop up and once the reload is done its gone again.

is it possible the php's one are stray ones that didn't want to close/end correctly?