为什么我的 PHP 进程消耗这么多 CPU?

tag-icon tag-icon php redhat
为什么我的 PHP 进程消耗这么多 CPU?

这是一个运行 RHEL 2.6.18-348.6.1.el5PAE #1 SMP Tue May 21 16:17:08 EDT 2013 i686 i686 i386 GNU/Linux 的系统

这似乎有点相关,我想知道它是否有安全隐患:

https://www.google.com/search?q=%2Fsys%2Fblock%2Floop0%2Fsubsystem%2F&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

是否已放置符号链接以访问我的 /sys/block 节点?也许这只是机器人等在抓取它们?

top - 20:01:56 up 7 days, 21:41,  1 user,  load average: 9.53, 10.53, 11.00
Tasks: 249 total,   9 running, 237 sleeping,   1 stopped,   2 zombie
Cpu(s): 15.0%us, 78.7%sy,  0.0%ni,  3.2%id,  3.0%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   4151512k total,  3739888k used,   411624k free,   126812k buffers
Swap:  4194296k total,  1901364k used,  2292932k free,  1532036k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
13485 client3   25   0 57964  42m 6740 R 99.7  1.0 329:07.17 php
11956 client3   25   0 58104  42m 7020 R 98.0  1.0   3550:36 php
16528 client3   22   0 57960 7264 6740 R 98.0  0.2   2784:35 php
 9054 client3   25   0 57964 7280 6736 R 97.0  0.2   2610:32 php
18320 client3   25   0 57992  42m 7000 R 88.4  1.0   1025:54 php
21193 client3   25   0 57964  12m 6740 R 85.4  0.3   3711:50 php
21633 client3   25   0 57964  39m 6740 R 81.7  1.0   1215:48 php
23635 client2   15   0 52788  36m 7088 S 23.3  0.9   0:00.70 php
23633 client1   17   0     0    0    0 Z 11.6  0.0   0:00.35 php <defunct>
 3194 mysql     15   0  741m 573m 4448 S  1.7 14.2 203:10.39 mysqld
16290 tryout    34  19  2604 1020  808 R  1.7  0.0   0:11.81 gtar
21629 nobody    18   0  395m 104m 2972 S  1.3  2.6   0:03.63 httpd

[~]# sudo strace -p 13485

stat64("/sys/block/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop7/subsystem/ram3/subsystem/ram5/subsystem/loop2/subsystem/loop5/dev", {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
stat64("/sys/block/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop7/subsystem/ram3/subsystem/ram5/subsystem/loop2/subsystem/loop5/holders", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
open("/sys/block/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop7/subsystem/ram3/subsystem/ram5/subsystem/loop2/subsystem/loop5/holders", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 4
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
getdents64(4, /* 2 entries */, 32768)   = 48
getdents64(4, /* 0 entries */, 32768)   = 0
close(4)                                = 0
stat64("/sys/block/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop7/subsystem/ram3/subsystem/ram5/subsystem/loop2/subsystem/loop5/range", {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
stat64("/sys/block/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop7/subsystem/ram3/subsystem/ram5/subsystem/loop2/subsystem/loop5/removable", {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
stat64("/sys/block/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop7/subsystem/ram3/subsystem/ram5/subsystem/loop2/subsystem/loop5/size", {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
stat64("/sys/block/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop7/subsystem/ram3/subsystem/ram5/subsystem/loop2/subsystem/loop5/slaves", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
open("/sys/block/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop0/subsystem/loop7/subsystem/ram3/subsystem/ram5/subsystem/loop2/subsystem/loop5/slaves", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY <unfinished ...>

答案1

如上所述,应用程序本身可能始终存在问题。这是开发主题。

您描述的症状也可能来自脚本兔子和其他黑客对您的应用的探测。在我管理的一个系统中,黑客全天候对其进行探测,这对性能造成了很大的影响。

答案2

可能是您的脚本在进行递归目录扫描(并进入了不该去的地方),也可能是您的脚本存在某些已被他人发现的漏洞。您可以通过对其中几个脚本执行“lsof -p $pid”来检查是哪一个漏洞,看看它是来自合理的 IP,还是来自可疑的外国。

无论原因是什么,你都应该修复你的脚本(要么让它不进入不需要的目录,要么修复允许攻击者强迫它这样做的漏洞)

作为权宜之计,你可以设置open_basedir在您的 php.ini 中限制上述问题的影响,例如:

open_basedir = /home/:/var/www/:/tmp/:/usr/lib/php5/:/usr/share/php

然后 php 将无法打开这些目录之外的文件(请确保在存储 PHP 模块时添加所有目录)。而且由于您不会将“/sys”放入该列表中,因此可以避免出现此问题的具体表现(但当然问题的根源不在于脚本本身 - 这仍然需要编程工作)。

相关内容