DoS attack then slow server.

[skatesurferdude]

Hey guys I was attacked DoS style. The sever was shut down then brought back up. No more attacks but now the processor runs at a 99% percent making my site almost unuseable. what should I do?

versions.

WHM 9.9.9 cPanel 9.9.9-S15
RedHat 9 i686 - WHM X v3.1.0

 

[haze]

Check your processes, view your logs, the attack is probably continueing one way or another.

 

[skatesurferdude]

What should I be looking for ?

i see this when I run top in ssh

4 19 11964 3776 628 D N 99.9 0.7 0:04 0 cpanellogd
28256 root 17 0 2440 2440 1452 S 99.9 0.5 0:04 0 httpd

thoes 99.9 being CPU.

 

[EdRooney]

28256 root 17 0 2440 2440 1452 S 99.9 0.5 0:04 0 httpd
This is bad, httpd should not be running as root, it is possble this is another process trying to look like apache.

 

[skatesurferdude]

ok cool. how can I kill it?

 

[chirpy]

28256 root 17 0 2440 2440 1452 S 99.9 0.5 0:04 0 httpd
This is bad, httpd should not be running as root, it is possble this is another process trying to look like apache.

Erm, no, that is apache running the parent process as root which is completely correct. It is the child processes that run as the configured username:group within httpd.conf. Nothing at all wrong there.

You don't mentioned whether you have an iptables firewall installed. If you don't, install one (e.g. APF). Secondly, if you're still under attack, your datacentre should be the ones investigating this for you and stopping the traffic at their routers.

 

[EdRooney]

How do you know its an apache parent process?

 

[chirpy]

How do you know it isn't? What you stated was wrong and the most likely explaination is that it is copmpletely innocent and correct. ATEOTD, it's up to the system administrator of the box to investigate such issues, based on the facts at hand.