Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Advice on server hanging

Discussion in 'General Discussion' started by everynameistake, Aug 4, 2011.

  1. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Thanks. I found when the id was created in the secure log, but didn't see anything unusual in bash history. Also, the server has hung a couple of time over the past couple of days which required a re-boot. I see many failed login attempts (sample below). Could this be a DOS attack?


    Aug 4 07:46:21 server1 sshd[5096]: input_userauth_request: invalid user collins
    Aug 4 07:46:22 server1 sshd[5096]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:23 server1 sshd[5110]: Invalid user collins from 62.42.240.249
    Aug 4 07:46:23 server1 sshd[5111]: input_userauth_request: invalid user collins
    Aug 4 07:46:23 server1 sshd[5111]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:24 server1 sshd[5116]: Invalid user collins from 62.42.240.249
    Aug 4 07:46:24 server1 sshd[5117]: input_userauth_request: invalid user collins
    Aug 4 07:46:24 server1 sshd[5117]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:25 server1 sshd[5132]: Invalid user com from 62.42.240.249
    Aug 4 07:46:25 server1 sshd[5133]: input_userauth_request: invalid user com
    Aug 4 07:46:25 server1 sshd[5133]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:27 server1 sshd[5138]: Invalid user com from 62.42.240.249
    Aug 4 07:46:27 server1 sshd[5141]: input_userauth_request: invalid user com
    Aug 4 07:46:27 server1 sshd[5141]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:28 server1 sshd[5144]: Invalid user com from 62.42.240.249
    Aug 4 07:46:28 server1 sshd[5147]: input_userauth_request: invalid user com
    Aug 4 07:46:28 server1 sshd[5147]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:43 server1 sshd[5236]: Invalid user commando from 62.42.240.249
    Aug 4 07:46:43 server1 sshd[5252]: input_userauth_request: invalid user commando
    Aug 4 0
     
    #1 everynameistake, Aug 4, 2011
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,609
    Likes Received:
    31
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: [hackcheck] http has a uid 0 account

    So a DoS attack on sshd? I've never heard of a DoS attack on sshd before, since it's usually more beneficial to DoS Apache instead. Those login attempts are all sshd ones.
     
    #2 cPanelTristan, Aug 4, 2011
  3. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Re: [hackcheck] http has a uid 0 account

    How do I determine what is causing the server to hang?
     
    #3 everynameistake, Aug 4, 2011
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,609
    Likes Received:
    31
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: [hackcheck] http has a uid 0 account

    Would you like me to move this to another thread that is on troubleshooting how to figure out administering a machine? The original thread is about security issues for a hackcheck script, so it would be easier to fork this into a new thread.
     
    #4 cPanelTristan, Aug 4, 2011
  5. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Re: [hackcheck] http has a uid 0 account

    Sure, let's move it to the appropriate location.
     
    #5 everynameistake, Aug 4, 2011
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,609
    Likes Received:
    31
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I would suggest installing this script to grab details each minute on the running processes and other details that would be helpful when it hangs again:

    Code:
    cd /root
wget http://sys-snap.techfiles.us/
chmod +x sys-snap.sh
nohup /root/sys-snap.sh &
    At that point, you should then have files in /root/system-snapshot/ folder for each minute logging the details. When the server hangs again, simply review the details to see what is happening. You might also check sar information on the machine to see the recent activity for CPU, user, nice, system, iowait, steal and idle usage on the system.
     
    #6 cPanelTristan, Aug 4, 2011
  7. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Thanks, I installed the script. Is it resource intensive? Should I keep it running indefinitely? Also, where do I check sar information?
     
    #7 everynameistake, Aug 5, 2011
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,609
    Likes Received:
    31
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hi,

    A resource intensive script wouldn't be suggested to use on a server with high loads or hanging, since that would only exacerbate the issue, so the script is not resource intensive. It grabs quick details for a few seconds every minute.

    It won't keep running indefinitely as the command you start it with will not be running when the server is rebooted or crashes.

    The "sar" command is the one used in root SSH to get the sar information. It's similar to when someone says to check top and they mean to issue the command "top"

    Thanks!
     
    #8 cPanelTristan, Aug 5, 2011
(You must log in or sign up to post here.)
Loading...
Similar Threads - Advice server hanging
  1. hwcltjn

    EasyApache 4 Profile Advice

    hwcltjn, Mar 19, 2018, in forum: Workarounds and Optimization
    Replies:
    1
    Views:
    167
    cPanelMichael
    Mar 20, 2018
  2. DjordjeB

    DNS cluster Setup advice

    DjordjeB, Feb 13, 2018, in forum: Bind / DNS / Nameserver Issues
    Replies:
    3
    Views:
    182
    cPanelMichael
    Feb 15, 2018
  3. sneader

    Advice migrating from Legacy to new Backup

    sneader, Dec 7, 2017, in forum: Data Protection
    Replies:
    2
    Views:
    154
    cPanelMichael
    Dec 8, 2017
  4. John Richards

    Advice on best config for http/2

    John Richards, Sep 21, 2017, in forum: Workarounds and Optimization
    Replies:
    1
    Views:
    559
    cPanelMichael
    Sep 21, 2017
  5. kernow

    New Password Advice

    kernow, Aug 16, 2017, in forum: Security
    Replies:
    1
    Views:
    219
    cPanelMichael
    Aug 16, 2017

Share This Page