How to trace short lived suspecious-processes

Operating System & Version
centos 7
cPanel & WHM Version
88

oah

Well-Known Member
Jan 23, 2018
49
8
8
Iraq
cPanel Access Level
Website Owner
Hi
My load-average started to go above its usual baseline today, so I kept on checking the process manager. From what I have seen, the server is getting each 1 second a process triggered by the user "nobody" and it is always calling the php-cgi as marked in red.

Note: all my-websites use their username to call the php process that is why I am suspicious of something fishy going on here.

The process is too short to issue an strace (by the time I type the PID, it is finished) so how can strace it in advance i.e., to set some sort of filter which will capture any the call to /opt/cpanel/ea-php71/root/usr/bin/php-cgi when it is called by the user nobody.

My thought process is to find what script it is executing or trying to execute so I can get an idea of what is going on.
Any ideas on this issue? alternative approaches are so welcome :)

1596364230397.png

Update:
I managed to partially trace (somewhere in the middle while it was running) and got the following:
What is going on here?


strace: Process 25475 attached
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
restart_syscall(<... resuming interrupted poll ...>) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)
futex(0x5566f013ca00, FUTEX_WAKE_PRIVATE, 1) = -1 ENOSYS (Function not implemented)
poll([{fd=24, events=POLLIN}, {fd=26, events=POLLIN}], 2, -1) = -1 ENOSYS (Function not implemented)
fcntl(26, F_GETFL) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR|O_NONBLOCK) = -1 ENOSYS (Function not implemented)
accept4(26, 0x7ffdc077c610, [2], SOCK_CLOEXEC) = -1 ENOSYS (Function not implemented)
fcntl(26, F_SETFL, O_RDWR) = -1 ENOSYS (Function not implemented)
fcntl(348, F_SETFD, FD_CLOEXEC) = -1 ENOSYS (Function not implemented)
futex(0x5566f013f224, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x5566f013f220, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 ENOSYS (Function not implemented)

 

Attachments

Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
The nobody user is apache's default user, I'd suggest opening a ticket for this as it's actually pretty difficult to diagnose this without access to the server and that strace output you obtained is actually not very helpful.
 

oah

Well-Known Member
Jan 23, 2018
49
8
8
Iraq
cPanel Access Level
Website Owner
The nobody user is apache's default user, I'd suggest opening a ticket for this as it's actually pretty difficult to diagnose this without access to the server and that strace output you obtained is actually not very helpful.
I solved it for the time being by removing the setting the permission to 750 on php-cgi binary and everything went to normal again. Let me see how can we arrange access for you guys.

just one quick question though, I thought you need to strace the process while it is running so how do you plan on stracing if it is bursty?

Thx again.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
That makes it more difficult to strace but it is also possible to see the configuration on the server and understand what is causing the behavior in some cases.
 
  • Like
Reactions: oah

oah

Well-Known Member
Jan 23, 2018
49
8
8
Iraq
cPanel Access Level
Website Owner
That makes it more difficult to strace but it is also possible to see the configuration on the server and understand what is causing the behavior in some cases.
I get your point. Thank you guys for the support.
For the time being feel free to mark the thread as solved :)
It will be really great if you can think of some method to catch such bursty processes (if you find any feel free to post it here as a reply).
I mean there gotta be a way to set up a filter/log and tell it whenever the user "nobody" calls the php-cgi binary just log it (long the whole command along with as much information as possible).

Thx