Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Advice on server hanging

Discussion in 'General Discussion' started by everynameistake, Aug 4, 2011.

  1. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Thanks. I found when the id was created in the secure log, but didn't see anything unusual in bash history. Also, the server has hung a couple of time over the past couple of days which required a re-boot. I see many failed login attempts (sample below). Could this be a DOS attack?


    Aug 4 07:46:21 server1 sshd[5096]: input_userauth_request: invalid user collins
    Aug 4 07:46:22 server1 sshd[5096]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:23 server1 sshd[5110]: Invalid user collins from 62.42.240.249
    Aug 4 07:46:23 server1 sshd[5111]: input_userauth_request: invalid user collins
    Aug 4 07:46:23 server1 sshd[5111]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:24 server1 sshd[5116]: Invalid user collins from 62.42.240.249
    Aug 4 07:46:24 server1 sshd[5117]: input_userauth_request: invalid user collins
    Aug 4 07:46:24 server1 sshd[5117]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:25 server1 sshd[5132]: Invalid user com from 62.42.240.249
    Aug 4 07:46:25 server1 sshd[5133]: input_userauth_request: invalid user com
    Aug 4 07:46:25 server1 sshd[5133]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:27 server1 sshd[5138]: Invalid user com from 62.42.240.249
    Aug 4 07:46:27 server1 sshd[5141]: input_userauth_request: invalid user com
    Aug 4 07:46:27 server1 sshd[5141]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:28 server1 sshd[5144]: Invalid user com from 62.42.240.249
    Aug 4 07:46:28 server1 sshd[5147]: input_userauth_request: invalid user com
    Aug 4 07:46:28 server1 sshd[5147]: Received disconnect from 62.42.240.249: 11: Bye Bye
    Aug 4 07:46:43 server1 sshd[5236]: Invalid user commando from 62.42.240.249
    Aug 4 07:46:43 server1 sshd[5252]: input_userauth_request: invalid user commando
    Aug 4 0
     
    #1 everynameistake, Aug 4, 2011
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: [hackcheck] http has a uid 0 account

    So a DoS attack on sshd? I've never heard of a DoS attack on sshd before, since it's usually more beneficial to DoS Apache instead. Those login attempts are all sshd ones.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelTristan, Aug 4, 2011
  3. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Re: [hackcheck] http has a uid 0 account

    How do I determine what is causing the server to hang?
     
    #3 everynameistake, Aug 4, 2011
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: [hackcheck] http has a uid 0 account

    Would you like me to move this to another thread that is on troubleshooting how to figure out administering a machine? The original thread is about security issues for a hackcheck script, so it would be easier to fork this into a new thread.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelTristan, Aug 4, 2011
  5. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Re: [hackcheck] http has a uid 0 account

    Sure, let's move it to the appropriate location.
     
    #5 everynameistake, Aug 4, 2011
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I would suggest installing this script to grab details each minute on the running processes and other details that would be helpful when it hangs again:

    Code:
    cd /root
wget http://sys-snap.techfiles.us/
chmod +x sys-snap.sh
nohup /root/sys-snap.sh &
    At that point, you should then have files in /root/system-snapshot/ folder for each minute logging the details. When the server hangs again, simply review the details to see what is happening. You might also check sar information on the machine to see the recent activity for CPU, user, nice, system, iowait, steal and idle usage on the system.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 cPanelTristan, Aug 4, 2011
  7. everynameistake

    everynameistake Member

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Thanks, I installed the script. Is it resource intensive? Should I keep it running indefinitely? Also, where do I check sar information?
     
    #7 everynameistake, Aug 5, 2011
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hi,

    A resource intensive script wouldn't be suggested to use on a server with high loads or hanging, since that would only exacerbate the issue, so the script is not resource intensive. It grabs quick details for a few seconds every minute.

    It won't keep running indefinitely as the command you start it with will not be running when the server is rebooted or crashes.

    The "sar" command is the one used in root SSH to get the sar information. It's similar to when someone says to check top and they mean to issue the command "top"

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 cPanelTristan, Aug 5, 2011
(You must log in or sign up to post here.)
Loading...
Similar Threads - Advice server hanging
  1. RoboticPuppies

    Need advice about malware on server

    RoboticPuppies, Apr 30, 2018, in forum: Security
    Replies:
    8
    Views:
    378
    RoboticPuppies
    May 3, 2018
  2. bloatedstoat

    Advice on the use of a blocklist within CSF

    bloatedstoat, Dec 5, 2018, in forum: Security
    Replies:
    17
    Views:
    244
    rpvw
    Dec 6, 2018
  3. iddqd_x

    http2 advice

    iddqd_x, Jun 23, 2018, in forum: EasyApache
    Replies:
    1
    Views:
    366
    cPanelMichael
    Jun 26, 2018
  4. martin MHC

    SOLVED Maximum Mailbox Size Advice

    martin MHC, May 14, 2018, in forum: E-mail Discussion
    Replies:
    4
    Views:
    340
    brt
    Jun 2, 2018
  5. hwcltjn

    EasyApache 4 Profile Advice

    hwcltjn, Mar 19, 2018, in forum: Workarounds and Optimization
    Replies:
    1
    Views:
    576
    cPanelMichael
    Mar 20, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice