Is This A DDos Attack?

**Baris** · 09-11-2007 01:59 AM

Hi,

Nowadays my server frequently has a high load but i cant find what causes this.I am using an AMD Dual Core Dual Opteron 275 CPU with 2 GBs of RAM.

I am using CSF and here is the mail sent from CSF at the moment of high load.cPanel said at ticket that this is a ddos attack.Is it right?

http://www.bilhost.com/load.txt

**benfish** · 09-11-2007 09:09 AM

I'm no expert, but it looks like it could be. cPanel are experts though, and are most likely right.

During the high load, do you have problems connecting to the server and/or slow download speeds?

Ben

**Baris** · 09-11-2007 09:17 AM

When the load is high we cant access the sites but i can access the server via ssh.When i stop apache it goes low.But when i open it again it goes high.But it is so strange because CSF doesnt ban anyone at the high load time.Also i dont do anything other than restarting apache several times.Then it returns normal itself..

**Infopro** · 09-11-2007 09:25 AM

That doesn't appear to be an email from CFS to me.

**java_dude** · 09-11-2007 10:11 AM

Run this command and see if there is anyone connected with an excessive amount of connections:

Code:

netstat -tn --inet 2> /dev/null| grep ":80" | awk '/tcp[\ ]*[0-9]+[\ ]*[0-9]+[\ ]+[^\ ]+[\ ]*[^\ ]*/ { print $5; }' | cut -d":" -f1 | sort | uniq -c | sort -n

Do you have any PHP/MySQL scripts on your server? If so, do you have nay cache software like APC? I had a similar issue with my forum a couple of years ago and installing eaccelerator helped tremendously.

**Baris** · 09-11-2007 10:59 AM

There are so many PHP/MySQL sites on this server since we are a hosting company.

I have tried to install cache scripts like eaccelerator but couldnt make it work with phpsuexec.It made us to have internal server error on all sites.

**Baris** · 09-11-2007 11:02 AM

Originally Posted by Infopro

That doesn't appear to be an email from CFS to me.

The subjects of these e-mails are like this.

lfd: High 5 minute load average alert - 7.35

**koolcards** · 09-11-2007 12:43 PM

Your process list is ranked by PID rather than CPU load but the highest usage appears to be mysql:

mysql 3148 7.4 14.1 427004 293608 ? S<l Sep09 170:28 \_ /usr/sbin/mysqld --basedir=/
--datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/lt.bilhost.com.pid --skip-external-locking

There doesn't seem to be any pattern in the users under apache processes, although the logs would give you a better idea, so it wouldn't appear that any one site is getting slammed. Someone could hit a users mysql 'search' fast enough on a large database to create these kind of problems and but you have to eyeball the apache processes or apache logs to find it.

try increasing the amount of memory mysql is allowed to use for searches and sorts in /etc/my.cnf. Maybe increase the number of connections also.

**Baris** · 09-13-2007 05:39 AM

Last night i recompiled apache without phpsuexec and then installed eaccelerator.It went good till now.But now the load is so high again.

I also find that it always happenes at the same time each day.So i think it is a cron issue.How can i see users's cron jobs?

**koolcards** · 09-13-2007 06:34 AM

Originally Posted by Baris

Last night i recompiled apache without phpsuexec and then installed eaccelerator.It went good till now.But now the load is so high again.

I also find that it always happenes at the same time each day.So i think it is a cron issue.How can i see users's cron jobs?

All crontab's are under "/var/spool/cron" and I'd look at 'root', if I were you. If you have backup's enabled (and I assume you do), see when they run.
The next thing to check would be when the stats run for each site and what kind of stats you have enabled. Some take up more system resources than others.

**Baris** · 09-13-2007 07:24 AM

I am about to lose my mind..I cant find any cron running at around 1 pm.But it always happen at that time.

Backup runs at 3 AM and logs run between 00-02 AM

What may cause this problem??

**koolcards** · 09-13-2007 08:30 AM

Originally Posted by Baris

I am about to lose my mind..I cant find any cron running at around 1 pm.But it always happen at that time.

Backup runs at 3 AM and logs run between 00-02 AM

What may cause this problem??

Lots of things, depending on your sites, hardware, traffic, scripts, any number of things.

Open an SSH session around that time and leave 'top' running. Watch for the CPU load to go up or a surge in the number of certain types of processes, swap increasing, etc. Could be a user updating his forum database and rebuilding his pages every day at that time.

**Baris** · 09-13-2007 08:42 AM

I want to commit to suicede..I am really tired of this stupid problem..

**methos** · 09-25-2007 08:54 AM

Originally Posted by Baris

I want to commit to suicede..I am really tired of this stupid problem..

time to get out of the hosting business, I think ......

**ryan-fah** · 10-01-2007 07:27 AM

If I were you I would check out the user: inanilma account.

There seems to be a few PHP processes from that user adding to the server load and they could be the source of the problem.

LinkBack

Thread Tools

Is This A DDos Attack?

Is this DDOS attack?

DDoS attack

ddos attack?

is this a DDOS attack??

DDOS Attack