系统负载超高，但是网站是新站，几乎没有流量

turandot

这台VPS上一共三个站，都是几乎无流量的小站，最近放了个新站，发现经常性的502，奇怪的是其他两个站访问正常。重启下lnmp又正常了，过一段时间打开又开始变慢，如此反复。。。
80端口有些莫名其妙的连接：

[root@huxiaom ~]# lsof -i:80
COMMAND  PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
nginx   1116 root    8u  IPv4 3462422191      0t0  TCP *:http (LISTEN)
nginx   1117  www    8u  IPv4 3462422191      0t0  TCP *:http (LISTEN)
nginx   1118  www    8u  IPv4 3462422191      0t0  TCP *:http (LISTEN)
nginx   1118  www   14u  IPv4 3462618469      0t0  TCP 107.191.XXX.XX:http->149.165.86.110.broad.pt.fj.dynamic.163data.com.cn:feitianrockey (ESTABLISHED)
nginx   1118  www   15u  IPv4 3462619601      0t0  TCP 107.191.XXX.XX:http->112.111.191.136:16257 (ESTABLISHED)
nginx   1118  www   20u  IPv4 3462647780      0t0  TCP 107.191.XXX.XX:http->223.243.109.13:52469 (ESTABLISHED)
nginx   1118  www   29u  IPv4 3462645316      0t0  TCP 107.191.XXX.XX:http->173.208.173.42:55913 (ESTABLISHED)
nginx   1118  www   31u  IPv4 3462643540      0t0  TCP 107.191.XXX.XX:http->crawl-66-249-79-119.googlebot.com:58502 (ESTABLISHED)
nginx   1119  www    8u  IPv4 3462422191      0t0  TCP *:http (LISTEN)
nginx   1119  www   11u  IPv4 3462703142      0t0  TCP 107.191.XXX.XX:http->boson041.ahrefs.com:58643 (ESTABLISHED)
nginx   1119  www   15u  IPv4 3462666615      0t0  TCP 107.191.XXX.XX:http->140.237.37.203:60350 (ESTABLISHED)
nginx   1119  www   16u  IPv4 3462691062      0t0  TCP 107.191.XXX.XX:http->136.169.161.220.broad.pt.fj.dynamic.163data.com.cn:55143 (ESTABLISHED)
nginx   1119  www   19u  IPv4 3462678875      0t0  TCP 107.191.XXX.XX:http->boson077.ahrefs.com:51986 (ESTABLISHED)
nginx   1119  www   21u  IPv4 3462679806      0t0  TCP 107.191.XXX.XX:http->boson067.ahrefs.com:55047 (ESTABLISHED)
nginx   1119  www   23u  IPv4 3462681204      0t0  TCP 107.191.XXX.XX:http->boson011.ahrefs.com:44385 (ESTABLISHED)
nginx   1119  www   25u  IPv4 3462683345      0t0  TCP 107.191.XXX.XX:http->boson043.ahrefs.com:48368 (ESTABLISHED)
nginx   1119  www   27u  IPv4 3462686250      0t0  TCP 107.191.XXX.XX:http->boson073.ahrefs.com:58269 (ESTABLISHED)
nginx   1119  www   29u  IPv4 3462687290      0t0  TCP 107.191.XXX.XX:http->boson025.ahrefs.com:59713 (ESTABLISHED)
nginx   1119  www   30u  IPv4 3462687757      0t0  TCP 107.191.XXX.XX:http->boson067.ahrefs.com:60361 (ESTABLISHED)
nginx   1119  www   32u  IPv4 3462687967      0t0  TCP 107.191.XXX.XX:http->boson097.ahrefs.com:55584 (ESTABLISHED)
nginx   1119  www   34u  IPv4 3462696032      0t0  TCP 107.191.XXX.XX:http->254.250.159.27.broad.pt.fj.dynamic.163data.com.cn:52048 (ESTABLISHED)
nginx   1119  www   37u  IPv4 3462691934      0t0  TCP 107.191.XXX.XX:http->boson073.ahrefs.com:33118 (ESTABLISHED)
nginx   1119  www   38u  IPv4 3462695076      0t0  TCP 107.191.XXX.XX:http->boson067.ahrefs.com:37240 (ESTABLISHED)
nginx   1119  www   40u  IPv4 3462707462      0t0  TCP 107.191.XXX.XX:http->boson071.ahrefs.com:38791 (ESTABLISHED)
nginx   1119  www   42u  IPv4 3462716436      0t0  TCP 107.191.XXX.XX:http->boson073.ahrefs.com:47820 (ESTABLISHED)
nginx   1120  www    8u  IPv4 3462422191      0t0  TCP *:http (LISTEN)
nginx   1120  www   30u  IPv4 3462610279      0t0  TCP 107.191.XXX.XX:http->254.250.159.27.broad.pt.fj.dynamic.163data.com.cn:65024 (ESTABLISHED)
nginx   1120  www   46u  IPv4 3462556511      0t0  TCP huxiaom:http->180.154.152.185:36875 (ESTABLISHED)
php-fpm 1572  www    5u  IPv4 3462714582      0t0  TCP huxiaom:51245->142.91.43.98.rdns.as15003.net:http (ESTABLISHED)
php-fpm 1642  www    5u  IPv4 3462707510      0t0  TCP huxiaom:51175->142.91.43.98.rdns.as15003.net:http (ESTABLISHED)
php-fpm 1643  www    5u  IPv4 3462707461      0t0  TCP huxiaom:51171->142.91.43.98.rdns.as15003.net:http (ESTABLISHED)
php-fpm 1659  www    5u  IPv4 3462713966      0t0  TCP huxiaom:51242->142.91.43.98.rdns.as15003.net:http (ESTABLISHED)
php-fpm 1736  www    5u  IPv4 3462714435      0t0  TCP huxiaom:51244->142.91.43.98.rdns.as15003.net:http (ESTABLISHED)
php-fpm 2405  www    5u  IPv4 3462713749      0t0  TCP huxiaom:51239->142.91.43.98.rdns.as15003.net:http (ESTABLISHED)
php-fpm 2414  www    5u  IPv4 3462713765      0t0  TCP huxiaom:51240->142.91.43.98.rdns.as15003.net:http (ESTABLISHED)
php-fpm 2420  www    5u  IPv4 3462719309      0t0  TCP huxiaom:51300->142.91.43.98.rdns.as15003.net:http (ESTABLISHED)
php-fpm 2425  www    5u  IPv4 3462712558      0t0  TCP huxiaom:51226->142.91.43.98.rdns.as15003.net:http (ESTABLISHED)
php-fpm 2429  www    5u  IPv4 3462718260      0t0  TCP huxiaom:51282->142.91.43.98.rdns.as15003.net:http (ESTABLISHED)
php-fpm 2461  www    5u  IPv4 3462718505      0t0  TCP huxiaom:51285->142.91.43.98.rdns.as15003.net:http (ESTABLISHED)
php-fpm 2467  www    6u  IPv4 3462718865      0t0  TCP huxiaom:58178->59.188.183.226:http (ESTABLISHED)


网站几乎没有流量，为什么实际内存占用这么高呢？
另外：之前是512M的内存，我后来升级到1G，居然还是内存爆满

top：这台cps之前当做PT盒子用过，现在不用了，transmission服务也已经kill掉了，还是没有解决



[ 本帖最后由 turandot 于 2014-12-23 23:50 编辑 ]

licess

php开慢日志看看，方法看502置顶帖

turandot

恩，慢日志发现了问题，是其中一个用织梦做的站被黑了
织梦的漏洞好难打啊，唉只是织梦的站被黑，一堆木马文件和生成的6合彩页面，这是他拿到了什么权限啊？清理是清理掉了，但是不知道怎么堵。。。

[ 本帖最后由 turandot 于 2014-12-24 14:12 编辑 ]

licess

织梦漏洞好像不少，具体怎么进去的不好说，开了日志的话可能会好找些
可按这个https://www.vpser.net/security/lnmp-remove-nginx-php-execute.html将不用执行php的目录的php执行权限去掉

veryid

我和你遇到一样的问题了，discuz和wp的程序被上传了大量的垃圾文件，并且文件夹能有很多层，删都删不完，无奈，全部重新安装了，但一直找不到原因。