The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is This A DDos Attack?

Discussion in 'General Discussion' started by Baris, Sep 11, 2007.

  1. Baris

    Baris Member

    Joined:
    Sep 24, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Nowadays my server frequently has a high load but i cant find what causes this.I am using an AMD Dual Core Dual Opteron 275 CPU with 2 GBs of RAM.

    I am using CSF and here is the mail sent from CSF at the moment of high load.cPanel said at ticket that this is a ddos attack.Is it right? :(

    http://www.bilhost.com/load.txt
     
  2. benfish

    benfish Well-Known Member

    Joined:
    Feb 26, 2007
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    0
    I'm no expert, but it looks like it could be. cPanel are experts though, and are most likely right.

    During the high load, do you have problems connecting to the server and/or slow download speeds?

    Ben
     
  3. Baris

    Baris Member

    Joined:
    Sep 24, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    When the load is high we cant access the sites but i can access the server via ssh.When i stop apache it goes low.But when i open it again it goes high.But it is so strange because CSF doesnt ban anyone at the high load time.Also i dont do anything other than restarting apache several times.Then it returns normal itself..
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That doesn't appear to be an email from CFS to me.
     
  5. java_dude

    java_dude Active Member

    Joined:
    Apr 23, 2004
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Run this command and see if there is anyone connected with an excessive amount of connections:

    Code:
    netstat -tn --inet 2> /dev/null| grep ":80" | awk '/tcp[\ ]*[0-9]+[\ ]*[0-9]+[\ ]+[^\ ]+[\ ]*[^\ ]*/ { print $5; }' | cut -d":" -f1 | sort | uniq -c | sort -n
    Do you have any PHP/MySQL scripts on your server? If so, do you have nay cache software like APC? I had a similar issue with my forum a couple of years ago and installing eaccelerator helped tremendously. :)
     
  6. Baris

    Baris Member

    Joined:
    Sep 24, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    There are so many PHP/MySQL sites on this server since we are a hosting company. :)

    I have tried to install cache scripts like eaccelerator but couldnt make it work with phpsuexec.It made us to have internal server error on all sites.
     
  7. Baris

    Baris Member

    Joined:
    Sep 24, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    The subjects of these e-mails are like this.

     
  8. koolcards

    koolcards Well-Known Member

    Joined:
    Oct 8, 2003
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Tampa, Fl
    Your process list is ranked by PID rather than CPU load but the highest usage appears to be mysql:

    mysql 3148 7.4 14.1 427004 293608 ? S<l Sep09 170:28 \_ /usr/sbin/mysqld --basedir=/
    --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/lt.bilhost.com.pid --skip-external-locking


    There doesn't seem to be any pattern in the users under apache processes, although the logs would give you a better idea, so it wouldn't appear that any one site is getting slammed. Someone could hit a users mysql 'search' fast enough on a large database to create these kind of problems and but you have to eyeball the apache processes or apache logs to find it.

    try increasing the amount of memory mysql is allowed to use for searches and sorts in /etc/my.cnf. Maybe increase the number of connections also.
     
  9. Baris

    Baris Member

    Joined:
    Sep 24, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Last night i recompiled apache without phpsuexec and then installed eaccelerator.It went good till now.But now the load is so high again.

    I also find that it always happenes at the same time each day.So i think it is a cron issue.How can i see users's cron jobs?
     
  10. koolcards

    koolcards Well-Known Member

    Joined:
    Oct 8, 2003
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Tampa, Fl
    All crontab's are under "/var/spool/cron" and I'd look at 'root', if I were you. If you have backup's enabled (and I assume you do), see when they run.
    The next thing to check would be when the stats run for each site and what kind of stats you have enabled. Some take up more system resources than others.
     
  11. Baris

    Baris Member

    Joined:
    Sep 24, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I am about to lose my mind..I cant find any cron running at around 1 pm.But it always happen at that time.

    Backup runs at 3 AM and logs run between 00-02 AM

    What may cause this problem?? :(
     
  12. koolcards

    koolcards Well-Known Member

    Joined:
    Oct 8, 2003
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Tampa, Fl
    Lots of things, depending on your sites, hardware, traffic, scripts, any number of things.

    Open an SSH session around that time and leave 'top' running. Watch for the CPU load to go up or a surge in the number of certain types of processes, swap increasing, etc. Could be a user updating his forum database and rebuilding his pages every day at that time. :cool:
     
  13. Baris

    Baris Member

    Joined:
    Sep 24, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I want to commit to suicede..I am really tired of this stupid problem.. :mad:
     
  14. methos

    methos Member

    Joined:
    Sep 25, 2007
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    time to get out of the hosting business, I think ......
     
  15. ryan-fah

    ryan-fah Member

    Joined:
    Dec 20, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    If I were you I would check out the user: inanilma account.

    There seems to be a few PHP processes from that user adding to the server load and they could be the source of the problem.
     
Loading...

Share This Page