The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Advice on server hanging

Discussion in 'General Discussion' started by everynameistake, Aug 4, 2011.

  1. everynameistake

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Thanks. I found when the id was created in the secure log, but didn't see anything unusual in bash history. Also, the server has hung a couple of time over the past couple of days which required a re-boot. I see many failed login attempts (sample below). Could this be a DOS attack?


    Aug 4 07:46:21 server1 sshd[5096]: input_userauth_request: invalid user collins
    Aug 4 07:46:22 server1 sshd[5096]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:23 server1 sshd[5110]: Invalid user collins from 62.42.240.249
    Aug 4 07:46:23 server1 sshd[5111]: input_userauth_request: invalid user collins
    Aug 4 07:46:23 server1 sshd[5111]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:24 server1 sshd[5116]: Invalid user collins from 62.42.240.249
    Aug 4 07:46:24 server1 sshd[5117]: input_userauth_request: invalid user collins
    Aug 4 07:46:24 server1 sshd[5117]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:25 server1 sshd[5132]: Invalid user com from 62.42.240.249
    Aug 4 07:46:25 server1 sshd[5133]: input_userauth_request: invalid user com
    Aug 4 07:46:25 server1 sshd[5133]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:27 server1 sshd[5138]: Invalid user com from 62.42.240.249
    Aug 4 07:46:27 server1 sshd[5141]: input_userauth_request: invalid user com
    Aug 4 07:46:27 server1 sshd[5141]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:28 server1 sshd[5144]: Invalid user com from 62.42.240.249
    Aug 4 07:46:28 server1 sshd[5147]: input_userauth_request: invalid user com
    Aug 4 07:46:28 server1 sshd[5147]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:43 server1 sshd[5236]: Invalid user commando from 62.42.240.249
    Aug 4 07:46:43 server1 sshd[5252]: input_userauth_request: invalid user commando
    Aug 4 0
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: [hackcheck] http has a uid 0 account

    So a DoS attack on sshd? I've never heard of a DoS attack on sshd before, since it's usually more beneficial to DoS Apache instead. Those login attempts are all sshd ones.
     
  3. everynameistake

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Re: [hackcheck] http has a uid 0 account

    How do I determine what is causing the server to hang?
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: [hackcheck] http has a uid 0 account

    Would you like me to move this to another thread that is on troubleshooting how to figure out administering a machine? The original thread is about security issues for a hackcheck script, so it would be easier to fork this into a new thread.
     
  5. everynameistake

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Re: [hackcheck] http has a uid 0 account

    Sure, let's move it to the appropriate location.
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I would suggest installing this script to grab details each minute on the running processes and other details that would be helpful when it hangs again:

    Code:
    cd /root
    wget http://sys-snap.techfiles.us/
    chmod +x sys-snap.sh
    nohup /root/sys-snap.sh &
    At that point, you should then have files in /root/system-snapshot/ folder for each minute logging the details. When the server hangs again, simply review the details to see what is happening. You might also check sar information on the machine to see the recent activity for CPU, user, nice, system, iowait, steal and idle usage on the system.
     
  7. everynameistake

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Thanks, I installed the script. Is it resource intensive? Should I keep it running indefinitely? Also, where do I check sar information?
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hi,

    A resource intensive script wouldn't be suggested to use on a server with high loads or hanging, since that would only exacerbate the issue, so the script is not resource intensive. It grabs quick details for a few seconds every minute.

    It won't keep running indefinitely as the command you start it with will not be running when the server is rebooted or crashes.

    The "sar" command is the one used in root SSH to get the sar information. It's similar to when someone says to check top and they mean to issue the command "top"

    Thanks!
     
Loading...

Share This Page