Support » Plugin: Wordfence Security - Firewall & Malware Scan » Big phpXXXXXX files in /home/USER/.cagefs/tmp

  • Hi all.

    I have some users with huge tmp files (between 500MB and 2GB) in /home/$USER/.cagefs/tmp/phpXXXXXX. I noticed that if I configure high values for “max_execution_time” and “lsapi_backend_max_process_time” this tmp files appears to grow infinitely.

    Example of temp files (with “lsapi_backend_max_process_time = 300”):

    [root@server ~]# ls -larth /home/$USER/.cagefs/tmp/php*
    -rw——- 1 $USER $USER 700M ago 24 10:47 /home/$USER/.cagefs/tmp/php3bLX6P
    -rw——- 1 $USER $USER 752M ago 24 10:48 /home/$USER/.cagefs/tmp/phpyQVlXK
    -rw——- 1 $USER $USER 1,2G ago 29 05:00 /home/$USER/.cagefs/tmp/phpTVL8ud
    -rw——- 1 $USER $USER 1,2G ago 29 19:04 /home/$USER/.cagefs/tmp/phpEWRNjt
    -rw——- 1 $USER $USER 1,2G ago 29 21:16 /home/$USER/.cagefs/tmp/php5IRtuJ
    -rw——- 1 $USER $USER 1,1G ago 30 05:47 /home/$USER/.cagefs/tmp/phppCg2ag
    -rw——- 1 $USER $USER 1,2G ago 30 15:31 /home/$USER/.cagefs/tmp/phpFvflBt
    -rw——- 1 $USER $USER 1,2G ago 30 18:55 /home/$USER/.cagefs/tmp/phpl438Jl
    -rw——- 1 $USER $USER 1,2G sep 1 04:40 /home/$USER/.cagefs/tmp/phpnvjn9N
    -rw——- 1 $USER $USER 1,2G sep 1 05:06 /home/$USER/.cagefs/tmp/php5afzuV
    -rw——- 1 $USER $USER 1,2G sep 1 11:52 /home/$USER/.cagefs/tmp/phpO427u7
    -rw——- 1 $USER $USER 1,2G sep 1 14:39 /home/$USER/.cagefs/tmp/phpbRucIl
    -rw——- 1 $USER $USER 1,2G sep 3 05:57 /home/$USER/.cagefs/tmp/phpie8a2k
    -rw——- 1 $USER $USER 656M sep 3 16:23 /home/$USER/.cagefs/tmp/phpHNSknY
    -rw——- 1 $USER $USER 818M sep 3 16:24 /home/$USER/.cagefs/tmp/php5H7kSj
    -rw——- 1 $USER $USER 1,2G sep 3 17:41 /home/$USER/.cagefs/tmp/phpJiCASm

    I verified that if I disable wordfence this tmp files are not created.

    System info:

    Wordfence 6.3.18
    Wordpress 4.8.1
    CPanel 11.66.0.17
    CloudLinux release 7.4 (Georgy Grechko)

    I see this problem in several users in different servers (All with the same config as above).

    Any ideas?

    Regards.

Viewing 15 replies - 1 through 15 (of 57 total)
  • I face the same issue as above, I’m really curious what causes this, strace didn’t help much sadly :/

    
    [pid  1247] lstat("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/wordfence.php", {st_mode=S_IFREG|0644, st_size=2177, ...}) = 0
    [pid  1247] lstat("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/wordfence.php", R_OK) = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/init.php", R_OK) = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.php", R_OK) = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/utils.php", R_OK) = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage.php", R_OK) = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php", R_OK) = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/config.php", R_OK) = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/rules.php", R_OK) = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/parser/lexer.php", R_OK) = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/parser/parser.php", R_OK <unfinished ...>
    [pid  1247] <... access resumed> )      = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/parser/sqli.php", R_OK) = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/request.php", R_OK <unfinished ...>
    [pid  1247] <... access resumed> )      = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/http.php", R_OK <unfinished ...>
    [pid  1247] <... access resumed> )      = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/view.php", R_OK <unfinished ...>
    [pid  1247] <... access resumed> )      = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/waf/bootstrap.php", R_OK <unfinished ...>
    [pid  1247] <... access resumed> )      = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/waf/wfWAFUserIPRange.php", R_OK <unfinished ...>
    [pid  1247] <... access resumed> )      = 0
    [pid  1247] access("/home/customer/public_html/customerk.com/wp-content/plugins/wordfence/waf/wfWAFIPBlocksController.php", R_OK <unfinished ...>
    [pid  1247] <... access resumed> )      = 0
    [pid  1247] stat("/home/customer/public_html/customerk.com/wp-content/wflogs/",  <unfinished ...>
    [pid  1247] <... stat resumed> {st_mode=S_IFDIR|0755, st_size=135168, ...}) = 0
    [pid  1247] lseek(4, 0, SEEK_SET <unfinished ...>
    [pid  1247] <... lseek resumed> )       = 0
    [pid  1247] lseek(4, 0, SEEK_END <unfinished ...>
    [pid  1247] <... lseek resumed> )       = 0
    [pid  1247] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 8192 <unfinished ...>
    [pid  1247] <... write resumed> )       = 8192
    [pid  1247] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 8192 <unfinished ...>
    [pid  1247] <... write resumed> )       = 8192
    [pid  1247] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 8192 <unfinished ...>
    [pid  1247] <... write resumed> )       = 8192
    [pid  1247] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 8192 <unfinished ...>
    [pid  1247] <... write resumed> )       = 8192
    [pid  1247] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 8192 <unfinished ...>
    [pid  1247] <... write resumed> )       = 8192
    [pid  1247] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 8192 <unfinished ...>
    [pid  1247] <... write resumed> )       = 8192
    

    @lucasrolff are you using Cloudlinux too?

    @rodriguezzz – yep, but had the issue for a lot longer than just since 7.4 – but some sites seem to cause more issues than others.

    My strace is similar to yours. Are you using php7?

    I do, however I’ve tried downgrading one website to PHP 5.6 – and will see if the same issue happens there.

    Just had my host to remove a 5 gb file from my /.cagefs/tmp/ – half my disk quota… Following…

    @rodriguezzz – it seems to be specific to PHP 7.0 (maybe 7.1 included), I can’t replicate the issue on PHP 5.6

    I’ll leave this specific site overnight since it always causes issues during the night.

    I’d like to see some WordFence folks on this thread – let’s see.

    @lucasrolff I have some users using php 5.5 and 5.6 with the issue. But he ones with the biggest tmp files are using php 7.0 and 7.1.

    Hey guys, we have been discussing this internally since yesterday when one of our support agents alerted us to this thread. This is not happening in our test environments, so we aren’t sure yet why it might be happening.

    Can those of you who are seeing this please send a Wordfence diagnostics report to asa@wordfence.com. Instead of giving a ticket number when you send the diagnostics, please use the word “CageFS” so I know where the diagnostics are coming from. The function to send diagnostics is at the top of the Tools > Diagnostics page.

    One thing you can test is to turn off the opcache settings in php.ini temporarily and see if that helps. Us and several other plugins have seen some issues with opcache + PHP7. We are not certain that it’s related at this point, but it would be a good thing to test.

    If someone would like to send me one of the large files, that would help too. If so, please email asa@wordfence.com and tell me you want to send the file, and I will provide you with an upload location.

    Finally, if everyone who is seeing this would mention which host they are using in this thread, that would help as well.

    I’ll try to get all the required info to you today.

    Regarding hosting provider it’s really not about hosting providers, since it happens in a lot of cPanel environments.

    In our case we use CloudLinux 6 and Cloudlinux 7 (both latest release), both versions of the OS have same behaviour, PHP is configured using EasyApache 4, with PHP 5.6, 7.0 and 7.1 being available.

    PHP 7.0 packages installed:
    build
    libc-client
    pear
    bcmath
    php-bz2
    php-cli
    php-common
    php-curl
    php-dba
    php-devel
    php-enchant
    php-exif
    php-fileinfo
    php-fpm
    php-ftp
    php-gd
    php-gettext
    php-iconv
    php-imap
    php-intl
    php-ldap
    php-litespeed
    php-mbstring
    php-mcrypt
    php-mysqlnd
    php-odbc
    php-opcache
    php-pdo
    php-pgsql
    php-posix
    php-process
    php-pspell
    php-soap
    php-sockets
    php-tidy
    php-xml
    php-xmlrpc
    php-zip
    php-runtime

    I’ll send required info when I see the issue appearing on this site again, and then as well trying without opcache to see if the issue still persists.

    @wfasa you should receive an email shortly (if not already) both from the diagnostics within WP, but also a file download link with some of the big files generated.

    One thing you can test is to turn off the opcache settings in php.ini temporarily and see if that helps.

    One of our users with this issue is using php 7.0 with opcache disabled.

    We’ve confirmed the behaviour that @rodriguezzz sees.
    Even with opcache disabled (completely uninstalling the module), the issue still persists.

    I also see this issue. Filesize differs, but up to 35GB is not uncommon.
    we use the alt-php* packages provided by CloudLinux.

    I have notified CloudLinux of this issue and suggested they chime in here.
    Also, we don’t have cPanel, so you can exclude that from the possible causes.
    Aside from that we use CloudLinux Server release 6.9, not 7.4.
    I guess the issue is more in the PHP version used (and in Wordfence) than in the CloudLinux OS.

    • This reply was modified 2 years, 2 months ago by  shoentjen.
Viewing 15 replies - 1 through 15 (of 57 total)
  • The topic ‘Big phpXXXXXX files in /home/USER/.cagefs/tmp’ is closed to new replies.