The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Okay, need socket help

Discussion in 'General Discussion' started by Paprika, Sep 20, 2006.

  1. Paprika

    Paprika Member

    Joined:
    Aug 1, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    See attached image.

    I have a bunch of Black zones for my socketbufs... It appears to happen daily, atleast once a day...

    I read this is indicative of possible malware such as DDOS scripts, keep-alive and/or connection timeouts being too high or too many services being ran.

    1) I have KeepAlive Off and KeepAliveTimeout 5.
    2) I don't think I have too many services running:
    Code:
     20:21:10  up 13 days,  1:09,  1 user,  load average: 2.12, 3.45, 4.00
    96 processes: 95 sleeping, 1 running, 0 zombie, 0 stopped
    CPU0 states:   0.3% user   0.0% system    0.0% nice  99.1% iowait   0.0% idle
    CPU1 states:   0.1% user   0.1% system    0.0% nice   5.3% iowait  93.3% idle
    Mem:  3630040k av, 3570416k used,   59624k free,       0k shrd,   27752k buff
          2994872k active,             152960k inactive
    Swap: 8193140k av, 2892888k used, 5300252k free                  564564k cached
    
      PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
        1 root      15   0  1308  444  1276 S     0.0  0.0   0:00   1 init
    14143 root      16   0  1372  524  1320 S     0.0  0.0   0:00   1 syslogd
    15403 named     18   0 14852 2292  4676 S     0.0  0.0   0:00   1 named
    15720 root      16   0  3456 1120  3348 S     0.0  0.0   0:00   1 sshd
    15875 root      16   0  1976  724  1684 S     0.0  0.0   0:00   1 xinetd
    17982 root      16   0  9620 2120  2628 S     0.0  0.0   0:00   1 chkservd
    20291 root      15   0 45212 3476 43856 S     0.0  0.0   0:00   0 httpd
    20348 root      16   0  1364  564  1316 S     0.0  0.0   0:00   1 crond
    24186 root      15   0  5704 1044  5348 S     0.0  0.0   0:00   0 pure-ftpd
    24189 root      16   0  3344  656  3132 S     0.0  0.0   0:00   0 pure-authd
    25661 root      34  19 11568 5752  4180 S N   0.0  0.1   0:00   0 cpanellogd
    26023 cpanel    15   0  6068 1172  3392 S     0.0  0.0   0:00   1 stunnel-4.15loc
    30182 mailman   17   0  8936 2212  5412 S     0.0  0.0   0:00   0 mailmanctl
    30216 mailman   16   0  8876 1980  5364 S     0.0  0.0   0:00   1 python2.4
    30332 root      18   0  1328  392  1284 S     0.0  0.0   0:00   0 portsentry
    19550 root      17   0  2052  880  1936 S     0.0  0.0   0:00   1 mysqld_safe
    19717 mysql     15   0 90692  32M  6368 S     0.0  0.9   0:00   0 mysqld
    22301 root      15   0 10328 2976  7952 S     0.0  0.0   0:00   1 cppop
     3420 mailnull  16   0  6640 1520  6008 S     0.0  0.0   0:00   0 exim
     3426 mailnull  18   0  6604 1436  6008 S     0.0  0.0   0:00   0 exim
     3464 root      16   0  2740 1328  2344 S     0.0  0.0   0:00   0 antirelayd
    11568 root      16   0 12124 3508  9532 S     0.0  0.0   0:00   1 cpsrvd
    15452 root      15   0  2220 1284  1936 S     0.0  0.0   0:00   0 bash
    24373 root      16   0  1816  980  1644 R     0.0  0.0   0:00   1 top
    
    
    ... Which brings me to the idea of possible malware/viruses/trojans being on my server.
    I ran the WHM Scan for Trojans and this is what it "found":
    Code:
    Possible Trojan - /usr/bin/pod2man
    Possible Trojan - /usr/bin/pod2usage
    Possible Trojan - /usr/bin/podchecker
    Possible Trojan - /usr/bin/podselect
    Possible Trojan - /usr/bin/pstruct
    Possible Trojan - /usr/bin/splain
    Possible Trojan - /usr/bin/xsubpp
    Possible Trojan - /usr/bin/animate
    Possible Trojan - /usr/bin/composite
    Possible Trojan - /usr/bin/conjure
    Possible Trojan - /usr/bin/convert
    Possible Trojan - /usr/bin/display
    Possible Trojan - /usr/bin/identify
    Possible Trojan - /usr/bin/import
    Possible Trojan - /usr/bin/mogrify
    Possible Trojan - /usr/bin/montage
    Possible Trojan - /usr/bin/dbiprof
    Possible Trojan - /usr/bin/curl
    

    Are these really threats?? I googled some of them and found them to be regular linux commands/programs.

    What can I do to see if my VPS has any malware on it? Before turning to my host about the slowness of my server?
     

    Attached Files:

Loading...

Share This Page