Extremely high server load - BDflush running very high- possible hack

**Blink2** · 07-20-2005 02:44 PM

Hi guys, I have quite a problem and after seacrching for a long time I have not found anything to help. I had an E-mail from my host a few days ago, saying my server carried out an attack on another IP and that my server may have been compromised, I changed passwords on all accounts etc, but I have little experience and was not able to install the APF Firewall.

Now my Server load is always above 4-5 and goes to 10 sometimes. My sites all work fast as usual which is really odd, but in my Current CPU usage it shows a bdflush command sucking up all my CPU, never seen this before and killing it does nothing. Can anyone offer any help and is this a possible hack?

Pid Owner Priority Cpu % Mem % Command
6093 nobody 0 29.4 0.5 [bdflush]
6091 nobody 0 28.6 0.5 [bdflush]
6103 nobody 0 28.6 0.5 [bdflush]

User Domain %CPU %MEM Mysql Processes
nobody 96.62 3.82 0.0
Top Process %CPU 82.2 /usr/local/apache/bin/httpd -DSSL
Top Process %CPU 77.7 [bdflush]
Top Process %CPU 76.9 [bdflush]

I could really do with some help here, a bit worried about the server.

Thanks

**bchughes** · 07-20-2005 04:47 PM

I'm seeing the same thing but can't figure out what's happening. Ideas? Anyone else seeing tihs?

FYI:
I'm running RH Enterprice 3. WHM 10.1.0 cPanel 10.2.0-R82

Thanks,

**IdleServ** · 07-20-2005 05:02 PM

I am also having this problem.

It's very hard to locate where it's coming from...

I've tried everything... I may even have to look at all 100 domain's logs on the server.

Keep us posted.

**Blink2** · 07-20-2005 05:53 PM

Not since you changed to Pure FTP is it? Has happened since then to me.

**bchughes** · 07-20-2005 06:19 PM

I switched to PureFTP quite awhile ago. Interesting thing is at around 5 today, the load went away. Everything seems fine.

**IdleServ** · 07-21-2005 03:47 AM

I have always used Pure-FTPd.

As it is a Perl script being executed by nobody, surely it must be via http. I've been trying to search through logs to find exploited phpBB's but it's proving difficult.

Also for me, it has stopped... I was hoping for it to come back soon so I could catch it out with this method - http://forum.ev1servers.net/showthread.php?t=52811

**Blink2** · 07-25-2005 02:01 AM

According to my host eximstats caused it, have disabled it and server has worked fine.

**fcarsenal** · 07-25-2005 05:14 AM

We used Access Control Lists to disable execution of alike programs by user nobody. I am not sure if this is an exploit or a bug.

**bchughes** · 07-30-2005 06:45 PM

It's back again. Anyone else seeing this?

**IdleServ** · 07-30-2005 06:46 PM

Same here... I thought I had got rid of it by correcting a security hole in phpBB 2.0.15

LinkBack

Thread Tools