Server slow, hacker attack?

[dean_l]

Hi good people,

I am noob just started using VPS and cPanel. I have VPS with godaddy, CentOS5, 8GB RAM, with around 10 website and 40,000 visitors a month. All websites are WordPress and kept updated with minimum plugins.

From yesterday my server very slow, load is: 27.35 21.07 15.07
What I notice is a lot of processes like this ones:
nobody 0.3 /usr/local/apache/bin/httpd -k start -DSSL
nobody 0.1 /usr/local/apache/bin/httpd -k start -DSSL

Is this mean my server is hacked?
How can I fix it?
Please note that I am noob and use WHM and root access to server. Don't have a clue how to use shell and would really like to solve my problems through WHM panel.

Urgent help is appreciated. Thanks a lot!
Regards

dean

- - - Updated - - -

Process manager showing a lot of:
15889 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15902 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15915 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15917 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15918 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15919 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15930 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15931 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15932 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15933 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15936 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15939 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
15940 (Trace) (Kill) nobody 0 0.0 0.0 /usr/local/apache/bin/httpd -k start -DSSL
....

Don't have a clue how to stop this and keep my server?
Any suggestions is welcome.

 

[dean_l]

Also lot of:22254 (Trace) (Kill) hotpotne 0 0.0 0.0 /opt/suphp/sbin/suphp
22255 (Trace) (Kill) hotpotne 0 0.0 0.0 /opt/suphp/sbin/suphp
22256 (Trace) (Kill) hotpotne 0 0.0 0.0 /opt/suphp/sbin/suphp
22257 (Trace) (Kill) hotpotne 0 0.0 0.0 /opt/suphp/sbin/suphp

hotpotne is username for my main account/website.
But I don't have clue what this process mean. Its executed like 20 more times.

 

[dean_l]

As I don't use this server for any emails, I shutdown all mail services in 'Mailserver Configuration'. I hope this will reduce possibility that someone want to use my server for some hacks. I don't send any email, neither have any user accounts so I guess I don't need mail than. But this didn't sorted my issue with server. What else I can do?

 

[ThinIce]

From what you've provided there isn't immediate evidence of anything sinister going on. The suphp processes are likely visits to your site being processed. It would be a good idea to check the access log for the site in question to check what is being accessed, for example your wordpress admin area may be under a brute force login attack, or a content scraper may be hitting many pages on your site at once resulting in high load.

If the investigation of logfiles shows nothing untoward, you might like to look into a caching plugin for wordpress if you don't already have one installed, this properly configured will reduce the number of suphp processes running at any one time as wordpress will be able to serve pages as static html from cache

 

[dean_l]

If the investigation of logfiles shows nothing untoward, you might like to look into a caching plugin for wordpress if you don't already have one installed, this properly configured will reduce the number of suphp processes running at any one time as wordpress will be able to serve pages as static html from cache

Thanks for reply, ThinIce. By futher looking into it, looks like one website was under heavy pingback & comment attack, resulting in over 13,000 spam comments in 1 day. They were all hold for moderation, but i guess this could cause heavy load. I disabled comments and pingback for time being to see will this fix the issue.

Re cache - I am using WP plugin W3 Total Cache, but this plugin doesn't work properly in the last update. Actually it broke one of my website. I think it's time to find better WP cache plugin.

 

[ThinIce]

Yes that level of submissions to wordpress might well have accounted for the load you saw, although it isn't many per minute these things tend to have a cumulative effect on load when they've been running for a while.

I've personally never had any problems with WordPress › WP Super Cache « WordPress Plugins but your mileage may vary depending on the plugins you're using

 

[nitallica]

I have used both W3 Total Cache and WP Super Cache, and have fewer issues from the latter. Performance wise, they are about equal from what I've seen. I had to switch to WPSC on a couple of my sites due to plugin conflicts with W3TC, and am thinking of just switching them all over to WPSC for the sake of consistency/simplicity.

Good luck! And let us know if that helps you any.

 

[cPanelMichael]

Hello

The following thread may also be useful to you:

Troubleshooting High Server Load on Linux Systems

Thank you.

 

[alex80ks]

I use better wp security plugin in combination with w3 total cache and you can configure better wp security plugin to ban repeated bruteforce attackers and 404 "testers" and that should reduce a little bit server load.....and also you can manually add IP adresses of attackers to ban list thry wp admin section....i hope that helps