The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DoS attack then slow server.

Discussion in 'General Discussion' started by skatesurferdude, Dec 19, 2004.

  1. skatesurferdude

    Joined:
    Jul 22, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Hey guys I was attacked DoS style. The sever was shut down then brought back up. No more attacks but now the processor runs at a 99% percent making my site almost unuseable. what should I do?

    versions.

    WHM 9.9.9 cPanel 9.9.9-S15
    RedHat 9 i686 - WHM X v3.1.0
     
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Check your processes, view your logs, the attack is probably continueing one way or another.
     
  3. skatesurferdude

    Joined:
    Jul 22, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    What should I be looking for ?

    i see this when I run top in ssh

    4 19 11964 3776 628 D N 99.9 0.7 0:04 0 cpanellogd
    28256 root 17 0 2440 2440 1452 S 99.9 0.5 0:04 0 httpd

    thoes 99.9 being CPU.
     
    #3 skatesurferdude, Dec 19, 2004
    Last edited: Dec 19, 2004
  4. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    28256 root 17 0 2440 2440 1452 S 99.9 0.5 0:04 0 httpd
    This is bad, httpd should not be running as root, it is possble this is another process trying to look like apache.
     
  5. skatesurferdude

    Joined:
    Jul 22, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    ok cool. how can I kill it?
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Erm, no, that is apache running the parent process as root which is completely correct. It is the child processes that run as the configured username:group within httpd.conf. Nothing at all wrong there.

    You don't mentioned whether you have an iptables firewall installed. If you don't, install one (e.g. APF). Secondly, if you're still under attack, your datacentre should be the ones investigating this for you and stopping the traffic at their routers.
     
  7. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    How do you know its an apache parent process?
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    How do you know it isn't? What you stated was wrong and the most likely explaination is that it is copmpletely innocent and correct. ATEOTD, it's up to the system administrator of the box to investigate such issues, based on the facts at hand.
     
Loading...

Share This Page