Geeklog Forums

My box:

Windows 2003 Server
PHP 5
IIS 6
Geeklog 1.4.1 + several plugins

Ever since I have upgraded from PHP 4.XX to PHP 5.XX I've had a problem where about once a week (sometimes every other week) my server will get bogged down and I have to reboot it. Looking at the task manager I notice there are about 50 cmd.exe instances running. The only plugin I have installed now that I belive executes shell commands is GUS but it is working fine and I am not sure why after a while I start to get multiple instances of cmd.exe

Has anyone else heard of a problem like this and know how to fix it? I've googled about it and have found little.

Plus does anyone know how to find out what called the cmd.exe and command was sent to it? The only thing Task Manager tells me is that the username NETWORK SERVICE called it.

Thanks

---

One of the Geeklog Core Developers.

Next time it happens, before you reboot, try stopping the IIS service. This will tell you if the CMD instances are being launched by IIS. Once you are sure it is the webserver doing it, you will have to find out if there are timeout values that need to be set differently than they currently are.

They are being launched by IIS. If I stop and restart the web service the cmds go away. I currently have PHP 5.2.0 installed. I'm going to try installing 5.2.2 to see if this stops the problem.

---

One of the Geeklog Core Developers.

There are two jobs in Geeklog that we hand over to external programs: Database backups (via mysqldump) and scaling of images (if you're using ImageMagick or NetPBM - not for gdlib).

Would those fit the pattern?

Those shouldn't leave any shell / cmd.exe instance hanging around, though, so that must be a problem elsewhere.

bye, Dirk

No I use phpmyadmin for my backups and I use gdlib2 for graphics.

I just upgraded to PHP 5.2.2, I hope that solves my problem.

---

One of the Geeklog Core Developers.

Just a quick update, Upgrading PHP didn't solve my problem. Not to sure what to do from here. I've been thinking of replacing the server in a month or so, maybe a fresh install of everything on a new box will fix it?

---

One of the Geeklog Core Developers.

You can try using a program called Process Explorer, and may also be downloaded from my site . Here is a direct link to the download. Process Explorer

Thanks, I just had the problem again and tried the process explorer

The w3wp.exe is calling all the cmd.exe. I have 40 instances siting there at the moment taking up memory but not processing time. (as figured out before by stoping and starting the web service which removed all cmd.exe)

Checking out the properties of cmd.exe in the process explorer didn't show anything of value.

When I checked out w3wp.exe properties I noticed the threads had a whole pile with a starting address of w3tp.dll+0x1d80

Some Stacks for these threads look like normal stuff and would come and go but a fair number had the last stack listed like this

php5ts.dll!php_stream_fopen_from_pipe+0xfa

So it appears to me (with my limited knowlege in these type of things) the php function stream_fopen is causing me some issues somewhere. I'm not sure where it is calling from since the cmd.exe just had blank values but at least it is a start.

Anyone got any other ideas?

---

One of the Geeklog Core Developers.

You can try using URLSCan and IIS Lockdown Wizard from Microsoft.

That is the main page for their tool for that. You may have to look for the one that works with 2003 if thats the server line you are using. I run that on all my servers and haven't had an issue yet with unauthorized programs trying to access the system to run. You may also want to do a scan of your system for rootkits if you cannot find the culprit. Michael Found this on the Microsoft site that you might want to see pertaining to your situation.

My php issue sounds close to this:

http://bugs.php.net/bug.php?id=36012&edit=1

I'm pretty sure it's not something like a rootkit or a virus.

---

One of the Geeklog Core Developers.