The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server slow, hacker attack?

Discussion in 'General Discussion' started by dean_l, May 15, 2013.

  1. dean_l

    dean_l Member

    Joined:
    Aug 14, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hi good people,

    I am noob just started using VPS and cPanel. I have VPS with godaddy, CentOS5, 8GB RAM, with around 10 website and 40,000 visitors a month. All websites are WordPress and kept updated with minimum plugins.

    From yesterday my server very slow, load is: 27.35 21.07 15.07
    What I notice is a lot of processes like this ones:
    nobody 0.3 /usr/local/apache/bin/httpd -k start -DSSL
    nobody 0.1 /usr/local/apache/bin/httpd -k start -DSSL

    Is this mean my server is hacked?
    How can I fix it?
    Please note that I am noob and use WHM and root access to server. Don't have a clue how to use shell and would really like to solve my problems through WHM panel.

    Urgent help is appreciated. Thanks a lot!
    Regards

    dean

    - - - Updated - - -

    Process manager showing a lot of:
    15889 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15902 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15915 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15917 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15918 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15919 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15930 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15931 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15932 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15933 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15936 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15939 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    15940 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
    ....

    Don't have a clue how to stop this and keep my server?
    Any suggestions is welcome.
     
  2. dean_l

    dean_l Member

    Joined:
    Aug 14, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Also lot of:22254 (Trace) (Kill) hotpotne 0 0.0 0.0 /opt/suphp/sbin/suphp
    22255 (Trace) (Kill) hotpotne 0 0.0 0.0 /opt/suphp/sbin/suphp
    22256 (Trace) (Kill) hotpotne 0 0.0 0.0 /opt/suphp/sbin/suphp
    22257 (Trace) (Kill) hotpotne 0 0.0 0.0 /opt/suphp/sbin/suphp

    hotpotne is username for my main account/website.
    But I don't have clue what this process mean. Its executed like 20 more times.
     
  3. dean_l

    dean_l Member

    Joined:
    Aug 14, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    As I don't use this server for any emails, I shutdown all mail services in 'Mailserver Configuration'. I hope this will reduce possibility that someone want to use my server for some hacks. I don't send any email, neither have any user accounts so I guess I don't need mail than. But this didn't sorted my issue with server. What else I can do?
     
  4. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    From what you've provided there isn't immediate evidence of anything sinister going on. The suphp processes are likely visits to your site being processed. It would be a good idea to check the access log for the site in question to check what is being accessed, for example your wordpress admin area may be under a brute force login attack, or a content scraper may be hitting many pages on your site at once resulting in high load.

    If the investigation of logfiles shows nothing untoward, you might like to look into a caching plugin for wordpress if you don't already have one installed, this properly configured will reduce the number of suphp processes running at any one time as wordpress will be able to serve pages as static html from cache
     
  5. dean_l

    dean_l Member

    Joined:
    Aug 14, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Thanks for reply, ThinIce. By futher looking into it, looks like one website was under heavy pingback & comment attack, resulting in over 13,000 spam comments in 1 day. They were all hold for moderation, but i guess this could cause heavy load. I disabled comments and pingback for time being to see will this fix the issue.

    Re cache - I am using WP plugin W3 Total Cache, but this plugin doesn't work properly in the last update. Actually it broke one of my website. I think it's time to find better WP cache plugin.
     
  6. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    Yes that level of submissions to wordpress might well have accounted for the load you saw, although it isn't many per minute these things tend to have a cumulative effect on load when they've been running for a while.

    I've personally never had any problems with WordPress › WP Super Cache « WordPress Plugins but your mileage may vary depending on the plugins you're using
     
  7. nitallica

    nitallica Registered

    Joined:
    May 18, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    I have used both W3 Total Cache and WP Super Cache, and have fewer issues from the latter. Performance wise, they are about equal from what I've seen. I had to switch to WPSC on a couple of my sites due to plugin conflicts with W3TC, and am thinking of just switching them all over to WPSC for the sake of consistency/simplicity.

    Good luck! And let us know if that helps you any.
     
  8. alex80ks

    alex80ks Member

    Joined:
    May 21, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    I use better wp security plugin in combination with w3 total cache and you can configure better wp security plugin to ban repeated bruteforce attackers and 404 "testers" and that should reduce a little bit server load.....and also you can manually add IP adresses of attackers to ban list thry wp admin section....i hope that helps
     
Loading...

Share This Page