PHP-FPM Access Logs
Hello,
I am finding that a particular account is running something which is causing LFD to frequently report a problem.
In trying to investigate, I have found that PHP-FPM doesn't appear to log access, IPs or URL requests for the pool, so I have no idea which script is causing the problem.
Does anyone have any idea on how to enable these logs in WHM or cPanel for this?
(Note: I don't mean the error logs, this is not "error" behavior)
I know which IP is accessing and I know which pool, but I don't know which file or PHP script it is going after.
Here is a example of the report I get:
Time: Mon Jun 4 04:28:53 2018 -0400
PID: 8787 (Parent PID:11698)
Account: someaccounti
Uptime: 164 seconds
Executable:
/opt/cpanel/ea-php70/root/usr/sbin/php-fpm
Command Line (often faked in exploits):
php-fpm: pool somepool
Network connections by the process (if any):
tcp: "Our IP" -> "Remote IP":443
Files open by the process (if any):
"(This is blank)"
Thank you
-
In trying to investigate, I have found that PHP-FPM doesn't appear to log access, IPs or URL requests for the pool, so I have no idea which script is causing the problem.
Hello @ShawnSites, Aside from the PHP-FPM logs for the domain name in the /home/$username/logs/ directory, have you checked the domain access logs for the domain name in the /usr/local/apache/domlogs/ directory? Thank you.0 -
Hello, Thanks for the response. I have checked those logs and they don't contain the "Remote IP" for me to find what script or page is being accessed. (I have also checked the FPM logs here "/var/cpanel/php-fpm/USER/logs/", but they are empty.) This is what is puzzles me, as I can access the domain myself from a browser and find those entries in the domlogs, but not any of the IPs that cause the LFD report. 0 -
Hello, Since it's an outgoing connection from the cPanel server, then it's possible you won't see a corresponding entry in the PHP-FPM or Apache logs. Did you check to see if the remote IP address is utilized by an application such as WordPress. Since it's over port 443, it could be a script is configured to automatically update and is fetching files from the script's update servers. Thank you. 0
Please sign in to leave a comment.
Comments
3 comments