The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Crash

Discussion in 'General Discussion' started by Solokron, Nov 17, 2005.

  1. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Server just recently crashed.

    Reviewing /var/log/messages I see the following which is not very useful.


    Nov 17 20:09:06 yyyyy kernel: cpu 1 hot: low 32, high 96, batch 16
    Nov 17 20:09:06 yyyyy kernel: cpu 1 cold: low 0, high 32, batch 16
    Nov 17 20:09:06 yyyyy kernel: HighMem per-cpu: empty
    Nov 17 20:09:06 yyyyy kernel:
    Nov 17 20:11:15 yyyyy kernel: Free pages: 764kB (0kB HighMem)
    Nov 17 20:12:41 yyyyy kernel: Active:1459 inactive:107353 dirty:0 writeback:107060 unstable:0 free:191 slab:13326 mapped:9248 pagetables:1855
    Nov 17 20:12:41 yyyyy kernel: DMA free:20kB min:20kB low:40kB high:60kB active:24kB inactive:11748kB present:16384kB
    Nov 17 20:13:10 yyyyy kernel: protections[]: 0 0 0
    Nov 17 20:13:16 yyyyy kernel: Normal free:744kB min:692kB low:1384kB high:2076kB active:5812kB inactive:417664kB present:499392kB
    Nov 17 20:34:49 yyyyy root[13202]: spamd: server killed by SIGTERM, shutting down
    Nov 17 20:33:52 yyyyy pure-ftpd: (?@24.17.xxx.xx) [INFO] New connection from 24.17.xxx.xx
    Nov 17 20:34:41 yyyyy kernel: protections[]: 0 0 0
    Nov 17 20:34:47 yyyyy kernel: HighMem free:0kB min:128kB low:256kB high:384kB active:0kB inactive:0kB present:0kB
    Nov 17 20:34:48 yyyyy crond(pam_unix)[30923]: session opened for user root by (uid=0)
    Nov 17 20:34:48 yyyyy crond(pam_unix)[30926]: session opened for user root by (uid=0)


    So I know the crash occured around 20:13. Checking the /tmp directory I find the following right before the crash:

    -rw-rw-rw- 1 xxxxx xxxxx 5 Nov 17 20:08 .fd00.548b38
    -rw-rw-rw- 1 xxxxx xxxxx 5 Nov 17 20:08 .fd00.548b40
    -rw-rw-rw- 1 xxxxx xxxxx 5 Nov 17 20:08 .fd00.548b55

    Are these Fedora dump files? How can I locate via logs what created these files?

    Thanks!
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You need to clean up your server from all the hacking tools downloaded and installed on your server. There must be an insecure script used as a back-door to access your server. See who own these files and either patch and/or upgrade their Php/CGI scripts to the latest release. You also need to secure your server against any attack in the futre.
     
  3. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Terrible answer which does not even address the question.

    This is a newly provisioned server, only 24 hours, has been hardened and which runs .chkrootkit and tripwire twice daily. The one account on the server is running the latest versions of its scripts as I installed them myself.

     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Is this how you respond to others when they try to help and work with you?

    Have you ever heard about netiquette? If not, people like you should read: http://randomnetstuff.com/netiquette.html

    Thank you very much for such polite response, sir.
     
  5. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I appreciate the attempt but it does not address the question one bit.

     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed, it doesn't.

    I'm not sure about those tmp files, they could come from almost anywhere. What was the file owner/group? Are they owned by a cPanel user account or a system account?

    Those kernel messages are rather odd too.

    If you haven't deleted them, do those log files contain anything useful? If they're binary files try running:

    strings <filename>

    Also, check that you don't have the main laus rpm installed, as that can cause server instability.

    If you keep getting unexplained crashes, you might also want to get the RAM chips checked out. They seem to be one of the most common causes of non-software generated crashes.

    Lastly, it helps if you can get the serial console output when you have a server crash (if there is one) as the oops can often (though not always) give useful information as to the cause.
     
Loading...

Share This Page