Need DDoS investigating help or high CPU cycle help

Zuriel

Registered
May 23, 2017
2
0
1
Florida
cPanel Access Level
Root Administrator
So I need some help investigating an issue I had happen to my server yesterday. First, I have a shared VPS, and my hosting company will power off the VM if I have load over 5 for 5 minutes. Well i had a load over 10 - 20 for 10 hours. They shut me off over and over in the A.M. But i begged them to let my server stay online so I could try to disable stuff and get it to work.

Needless to say, I turned off IMAP, EXIM, etc, etc, and my load was still way over 10 +

my LDF / ClamAV, etc crashed and I got a high CPU load email one time showing apachestatus, and there was a few IPS doing "alot" of requests and POSTS with some malware type stuff blah blah.php xx.php virus.php etc. i have CXS scanner which usually chatches this stuff but it seemed my server was literally blowing up with CPU cycles that nothing was working and everything was just bomb / crashing / restarting / etc.

I was about to give up and just tell every user on my server that the server got hacked / destroyed and here is their backup, cya later, etc. But eventually by the end of the day everything settled down, the server did some updates, things came back online, and here we are. But I am nervous / scared that I could have another day like that one...

What can I do to find out what / why / who / how my server had such incredible load for 10 hours straight?

Load_1 Min:0.00 Max:28.74 Avg:3.83
Load_5 Min:0.15 Max:19.80 Avg:3.83
Load_15 Min:0.31 Max:16.10 Avg:3.71

28.74 for a 1 min load?? yikes!

24_hour_load.jpg


So you can see 9am - till 3pm? ish I was under major load.

Here is my 30 day load so you can see how crazy this is.

30_day_load.jpg

Each little Jump is my weekly full server backup.

So I guess my server was in the middle of a backup? and got some sort of insane load? or was DDoS? or I dont know why this week was different..

What can I do to start investigating those blocks of hours to see exactly what / why this happened to my server?

thanks!
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,110
660
263
Houston
cPanel Access Level
DataCenter Provider
Hi @Zuriel


Firstly after the fact it's so difficult to tell what caused the high load. The daily process log in WHM>>Server status>>Daily Process Log may be helpful still since it reserves high usage statistics averages. The forum resource should also prove helpful: Tutorial - Troubleshooting high server loads on Linux servers

You might also find some information in the logs though it may not be too telling at this point:

Code:
/var/log/messages
/etc/apache2/conf/httpd.conf
Ultimately the best resource may be a system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums

Thanks!