The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Advice on server hanging

Discussion in 'General Discussion' started by everynameistake, Aug 4, 2011.

  1. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Thanks. I found when the id was created in the secure log, but didn't see anything unusual in bash history. Also, the server has hung a couple of time over the past couple of days which required a re-boot. I see many failed login attempts (sample below). Could this be a DOS attack?


    Aug 4 07:46:21 server1 sshd[5096]: input_userauth_request: invalid user collins
    Aug 4 07:46:22 server1 sshd[5096]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:23 server1 sshd[5110]: Invalid user collins from 62.42.240.249
    Aug 4 07:46:23 server1 sshd[5111]: input_userauth_request: invalid user collins
    Aug 4 07:46:23 server1 sshd[5111]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:24 server1 sshd[5116]: Invalid user collins from 62.42.240.249
    Aug 4 07:46:24 server1 sshd[5117]: input_userauth_request: invalid user collins
    Aug 4 07:46:24 server1 sshd[5117]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:25 server1 sshd[5132]: Invalid user com from 62.42.240.249
    Aug 4 07:46:25 server1 sshd[5133]: input_userauth_request: invalid user com
    Aug 4 07:46:25 server1 sshd[5133]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:27 server1 sshd[5138]: Invalid user com from 62.42.240.249
    Aug 4 07:46:27 server1 sshd[5141]: input_userauth_request: invalid user com
    Aug 4 07:46:27 server1 sshd[5141]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:28 server1 sshd[5144]: Invalid user com from 62.42.240.249
    Aug 4 07:46:28 server1 sshd[5147]: input_userauth_request: invalid user com
    Aug 4 07:46:28 server1 sshd[5147]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:43 server1 sshd[5236]: Invalid user commando from 62.42.240.249
    Aug 4 07:46:43 server1 sshd[5252]: input_userauth_request: invalid user commando
    Aug 4 0
     
    #1 everynameistake, Aug 4, 2011
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,622
    Likes Received:
    25
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: [hackcheck] http has a uid 0 account

    So a DoS attack on sshd? I've never heard of a DoS attack on sshd before, since it's usually more beneficial to DoS Apache instead. Those login attempts are all sshd ones.
     
    #2 cPanelTristan, Aug 4, 2011
  3. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Re: [hackcheck] http has a uid 0 account

    How do I determine what is causing the server to hang?
     
    #3 everynameistake, Aug 4, 2011
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,622
    Likes Received:
    25
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: [hackcheck] http has a uid 0 account

    Would you like me to move this to another thread that is on troubleshooting how to figure out administering a machine? The original thread is about security issues for a hackcheck script, so it would be easier to fork this into a new thread.
     
    #4 cPanelTristan, Aug 4, 2011
  5. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Re: [hackcheck] http has a uid 0 account

    Sure, let's move it to the appropriate location.
     
    #5 everynameistake, Aug 4, 2011
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,622
    Likes Received:
    25
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I would suggest installing this script to grab details each minute on the running processes and other details that would be helpful when it hangs again:

    Code:
    cd /root
wget http://sys-snap.techfiles.us/
chmod +x sys-snap.sh
nohup /root/sys-snap.sh &
    At that point, you should then have files in /root/system-snapshot/ folder for each minute logging the details. When the server hangs again, simply review the details to see what is happening. You might also check sar information on the machine to see the recent activity for CPU, user, nice, system, iowait, steal and idle usage on the system.
     
    #6 cPanelTristan, Aug 4, 2011
  7. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Thanks, I installed the script. Is it resource intensive? Should I keep it running indefinitely? Also, where do I check sar information?
     
    #7 everynameistake, Aug 5, 2011
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,622
    Likes Received:
    25
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hi,

    A resource intensive script wouldn't be suggested to use on a server with high loads or hanging, since that would only exacerbate the issue, so the script is not resource intensive. It grabs quick details for a few seconds every minute.

    It won't keep running indefinitely as the command you start it with will not be running when the server is rebooted or crashes.

    The "sar" command is the one used in root SSH to get the sar information. It's similar to when someone says to check top and they mean to issue the command "top"

    Thanks!
     
    #8 cPanelTristan, Aug 5, 2011
(You must log in or sign up to post here.)
Loading...
Similar Threads - Advice server hanging
  1. Masimo

    MySQL server tuning advice

    Masimo, Feb 7, 2016, in forum: Workarounds and Optimization
    Replies:
    3
    Views:
    872
    cPanelMichael
    Feb 9, 2016
  2. kernow

    New Password Advice

    kernow, Aug 16, 2017 at 10:07 AM, in forum: Security
    Replies:
    1
    Views:
    18
    cPanelMichael
    Aug 16, 2017 at 10:21 AM
  3. xmak

    upgrade from 11.56 to 11.64 - advice

    xmak, Aug 12, 2017 at 11:03 AM, in forum: General Discussion
    Replies:
    1
    Views:
    40
    cPanelMichael
    Aug 14, 2017 at 11:16 AM
  4. deathy

    Clustering Advice

    deathy, Sep 26, 2016, in forum: Bind / DNS / Nameserver Issues
    Replies:
    1
    Views:
    309
    cPanelMichael
    Oct 5, 2016
  5. magicalwonders

    Advice requested about latest new features

    magicalwonders, Sep 6, 2016, in forum: General Discussion
    Replies:
    3
    Views:
    368
    cPanelMichael
    Sep 6, 2016

Share This Page