The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Another High Server Log - Never seen this in TOP

Discussion in 'General Discussion' started by rhenderson, Oct 24, 2005.

  1. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Hi all,

    Hoping someone can help trace this. It started last night, I had a runaway httpd process, restarted it and things were fine till this afternoon then it got out of hand again

    17:43:35 up 2:31, 2 users, load average: 4.42, 5.00, 4.94
    268 processes: 256 sleeping, 7 running, 5 zombie, 0 stopped
    CPU states: cpu user nice system irq softirq iowait idle
    total 83.8% 0.0% 13.7% 0.5% 1.7% 0.0% 0.0%
    Mem: 495808k av, 473900k used, 21908k free, 0k shrd, 7788k buff
    370476k actv, 56712k in_d, 4780k in_c
    Swap: 1052248k av, 524812k used, 527436k free 45840k cached

    PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
    6032 nobody 25 0 3564 2864 1784 R 45.0 0.5 7:22 0 /usr/local/firewall
    6512 nobody 25 0 2912 1436 1100 R 44.8 0.2 117:50 0 /usr/local/firewall
    4684 root 15 0 4152 1468 880 S 0.3 0.2 0:00 0 /etc/authlib/authProg
    6658 nobody 15 0 3012 2116 1176 S 0.3 0.4 0:03 0 /usr/local/firewall
    12211 nobody 15 0 3012 2112 1176 S 0.3 0.4 0:03 0 /usr/local/firewall
    18312 nobody 15 0 3168 2284 1332 S 0.3 0.4 0:02 0 /usr/local/firewall
    8281 root 15 0 1312 1312 892 R 0.3 0.2 0:00 0 top
    993 root 15 0 528 492 432 S 0.1 0.0 0:00 0 /usr/libexec/courier-authlib/a
    6537 nobody 15 0 3012 2120 1176 S 0.1 0.4 0:03 0 /usr/local/firewall
    6650 nobody 15 0 3012 2128 1176 S 0.1 0.4 0:03 0 /usr/local/firewall
    6652 nobody 15 0 3012 2136 1176 S 0.1 0.4 0:03 0 /usr/local/firewall
    7114 nobody 15 0 3012 2112 1176 S 0.1 0.4 0:03 0 /usr/local/firewall
    7116 nobody 15 0 3012 2112 1176 S 0.1 0.4 0:03 0 /usr/local/firewall
    9380 nobody 15 0 3012 2128 1176 S 0.1 0.4 0:03 0 /usr/local/firewall
    9384 nobody 15 0 3012 2156 1176 S 0.1 0.4 0:02 0 /usr/local/firewall
    9392 nobody 15 0 3012 2136 1176 S 0.1 0.4 0:03 0 /usr/local/firewall
    9396 nobody 15 0 3012 2132 1176 S 0.1 0.4 0:03 0 /usr/local/firewall
    9415 nobody 15 0 3012 2136 1176 S 0.1 0.4 0:03 0 /usr/local/firewall
    12226 nobody 15 0 3012 2116 1176 S 0.1 0.4 0:02 0 /usr/local/firewall
    12228 nobody 15 0 3012 2120 1176 S 0.1 0.4 0:03 0 /usr/local/firewall
    12230 nobody 15 0 3012 2144 1176 S 0.1 0.4 0:02 0 /usr/local/firewall
    12234 nobody 15 0 3012 2132 1176 S 0.1 0.4 0:03 0 /usr/local/firewall
    12372 nobody 15 0 3012 2112 1176 S 0.1 0.4 0:02 0 /usr/local/firewall
    12392 nobody 15 0 3012 2104 1176 S 0.1 0.4 0:02 0 /usr/local/firewall

    There is not a "firewall" at /usr/local so i thought maybe it was IPTables, or APF so I stopped APF and the /usr/local/firewall was still there.

    Any ideals?
     
  2. Earendil

    Earendil Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Check your /tmp for suspicious files.
    I'm guessing someone loaded up something like an eggdrop/bouncer and named the process firewall.
     
  3. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Just found one in /var/tmp (Even though I have secured them using the /scripts/securetmp) deleted them, reran the secure tmp script and rebooting now to see if they are gone. They are also locked processes. Do you know of a way to trace them?

    Thanks
     
  4. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Yes that did it, it had something to do with IRC Rizon I think. Now to figure out how it is getting there.
     
  5. Gareth

    Gareth Well-Known Member

    Joined:
    Feb 11, 2004
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Isle of Anglesey, UK
    A bit off topic sorry,

    but rhenderson do you know that if I click on your domain in your sig I go to your site then get redirected to http://www.yahoo.com/
     
  6. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Lol sorry about that
     
  7. Earendil

    Earendil Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Tracing might be done using the logs, if available, or if you have phpSuEXEC installed, you can see who owns them.
    I'm not sure what securetmp does, but you might be better of using eth0.us as a source.
    Also make sure you're running a 2.6 kernel, as in a 2.4 you can easily go around the noexec argument ;)
     
    #7 Earendil, Oct 25, 2005
    Last edited: Oct 25, 2005
Loading...

Share This Page