The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Extremely high server load - BDflush running very high- possible hack

Discussion in 'General Discussion' started by Blink2, Jul 20, 2005.

  1. Blink2

    Blink2 Member

    Joined:
    Jan 13, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hi guys, I have quite a problem and after seacrching for a long time I have not found anything to help. I had an E-mail from my host a few days ago, saying my server carried out an attack on another IP and that my server may have been compromised, I changed passwords on all accounts etc, but I have little experience and was not able to install the APF Firewall.

    Now my Server load is always above 4-5 and goes to 10 sometimes. My sites all work fast as usual which is really odd, but in my Current CPU usage it shows a bdflush command sucking up all my CPU, never seen this before and killing it does nothing. Can anyone offer any help and is this a possible hack?


    Pid Owner Priority Cpu % Mem % Command
    6093 nobody 0 29.4 0.5 [bdflush]
    6091 nobody 0 28.6 0.5 [bdflush]
    6103 nobody 0 28.6 0.5 [bdflush]

    User Domain %CPU %MEM Mysql Processes
    nobody 96.62 3.82 0.0
    Top Process %CPU 82.2 /usr/local/apache/bin/httpd -DSSL
    Top Process %CPU 77.7 [bdflush]
    Top Process %CPU 76.9 [bdflush]

    I could really do with some help here, a bit worried about the server.

    Thanks
     
  2. bchughes

    bchughes Registered

    Joined:
    Jan 17, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I'm seeing the same thing but can't figure out what's happening. Ideas? Anyone else seeing tihs?

    FYI:
    I'm running RH Enterprice 3. WHM 10.1.0 cPanel 10.2.0-R82

    Thanks,
     
    #2 bchughes, Jul 20, 2005
    Last edited: Jul 20, 2005
  3. IdleServ

    IdleServ Active Member

    Joined:
    Oct 27, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I am also having this problem.

    It's very hard to locate where it's coming from...

    I've tried everything... I may even have to look at all 100 domain's logs on the server.

    Keep us posted.
     
  4. Blink2

    Blink2 Member

    Joined:
    Jan 13, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Not since you changed to Pure FTP is it? Has happened since then to me.
     
  5. bchughes

    bchughes Registered

    Joined:
    Jan 17, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I switched to PureFTP quite awhile ago. Interesting thing is at around 5 today, the load went away. Everything seems fine.
     
  6. IdleServ

    IdleServ Active Member

    Joined:
    Oct 27, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I have always used Pure-FTPd.

    As it is a Perl script being executed by nobody, surely it must be via http. I've been trying to search through logs to find exploited phpBB's but it's proving difficult.

    Also for me, it has stopped... I was hoping for it to come back soon so I could catch it out with this method - http://forum.ev1servers.net/showthread.php?t=52811
     
  7. Blink2

    Blink2 Member

    Joined:
    Jan 13, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    According to my host eximstats caused it, have disabled it and server has worked fine.
     
  8. fcarsenal

    fcarsenal Member

    Joined:
    Jun 29, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    We used Access Control Lists to disable execution of alike programs by user nobody. I am not sure if this is an exploit or a bug.
     
  9. bchughes

    bchughes Registered

    Joined:
    Jan 17, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    It's back again. Anyone else seeing this?
     
  10. IdleServ

    IdleServ Active Member

    Joined:
    Oct 27, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Same here... I thought I had got rid of it by correcting a security hole in phpBB 2.0.15
     
Loading...

Share This Page