The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Slowdown

Discussion in 'Data Protection' started by LarryG, Nov 1, 2004.

  1. LarryG

    LarryG Member

    Joined:
    Oct 31, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    the server plugs up just about every day. I can still access it via the web interface and restart the server - this usually gets it running so after a few minutes it acknowledges a mouse klick. Then I delete over a thousand or two e-mail messages in the que. I have it set to delete messages that have a full mail box etc. rather than put them in que. Most messages in que are for other domains than on the server.

    Then re-start exim and do a rebuild mail fix dbs boxes and it usually is working fine at that point. sometimes it will show the pop server down, but it is shown as up after some minutes. And the pop server is working in any case. If its not up at that point another server restart gets it going. Sometimes it will run for 3 or 5 days but lately just one day. Hmmm. most times I have to start exim after the reboot it seems.

    I have spam assassan on, exim is set to verify the sending domain exists.

    are there any other controls for spam assassan other than the ones I can find in the web interface? Its not even doing the job at this point...

    I have the latest apachie running. Is the trojan scanner reporting troj just sitting in the usr directorys or are they live? Is there active antivirus on the server?

    Trojan Scanner results below...

    Main >> Security >> Scan for Trojan Horses

    Appears Clean

    /dev/stderr

    Scanning for Trojan Horses.....

    Possible Trojan - /usr/bin/curl-config
    Possible Trojan - /usr/bin/podchecker
    Possible Trojan - /usr/bin/pstruct
    Possible Trojan - /usr/bin/splain
    Possible Trojan - /usr/bin/xsubpp
    Possible Trojan - /usr/bin/curl
    Possible Trojan - /usr/lib/libcurl.so.2.0.2
    Possible Trojan - /usr/bin/pear
    Possible Trojan - /usr/bin/ptar
    Possible Trojan - /usr/bin/dbiprof
    10 POSSIBLE Trojans Detected

    Thanks much for any advice about these toubles !

    LarryG
     
  2. Sinewy

    Sinewy Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney, Australia
    cPanel Access Level:
    DataCenter Provider
    sounds like you have many abusive users.

    Look at CPU/Memory/MySQL Usage. is anything in red?

    those "possible trojans" aren't actually trojans.

    2000 emails in the queue? it seems you have a spammer.
     
  3. LarryG

    LarryG Member

    Joined:
    Oct 31, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    very likely ... Is there a way to access the mail log or What is the best place to look to find the lowlife? A place to see mail activity by account perhaps? using mail delivery stats may have clues but I am unable to get a suspect. Many errors to bad addresses.

    Server load at 300 when backed up. I'll check the my sql stats next time it loads up...

    Thanks

    Larryg
     
  4. bijo

    bijo Well-Known Member

    Joined:
    Aug 21, 2004
    Messages:
    475
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Hi,
    There is a script posted by chirpy. It is very effective to block dictionary attack.
    This is the location of the page.
    http://forums.cpanel.net/showthread.php?t=28024&page=2&pp=15&highlight=chirpy
    may be this script will help you to solve your problem.

    This command will give you the mail queue
    exim -bpc

    run this command
    cd /var/spool/exim/input
    rm -f 1*
    this will delete all the mail in the mail queue.

    This command will give you the current
    exim main log
    tail -f /var/log/exim_mainlogs
    may be it will help you
     
  5. bullwinkle

    bullwinkle Active Member

    Joined:
    Aug 20, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    el paso
    I don't know why sinewy says those aren't trojans. I agree about pear not being one, though.

    You should re-install all those programs, either from cpanel or by downloading them. That won't stop your bad guy from re-installing them, but you can keep them out as much as possible. The last thing you want to do is to execute a trojan as root. Write a cron job to email you whenever one of those has come back.

    In the meantime, you have to figure out how they are getting in. I don't have a list of stuff memorized, but there certainly are posts about that.
     
  6. LarryG

    LarryG Member

    Joined:
    Oct 31, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for all the answers! Many good ideas... I only have access through the web. Is there a way to get a command prompt - or send a command over the network?

    LarryG
     
  7. Sinewy

    Sinewy Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney, Australia
    cPanel Access Level:
    DataCenter Provider
    the trojan horse scanner isnt 100% accurate.

    he should also update his cPanel/WHM to the 9.9.8 stable or release editions to prevent those symlink bugs.
     
  8. LarryG

    LarryG Member

    Joined:
    Oct 31, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Do we know which trojan checker is used?

    Larry G
     
  9. LarryG

    LarryG Member

    Joined:
    Oct 31, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    The server load is over 200 cyrrently, In CPU/memory/mysql usage these are the only loads over a few points.

    Top Process %CPU 57.3 gzip
    Top Process %CPU 56.1 gzip
    Top Process %CPU 55.8 gzip

    Don't know if these are clues or not...

    LarryG

    Larry G

    Larry G
     
  10. LarryG

    LarryG Member

    Joined:
    Oct 31, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Nope - after a reboot, those numbers stay about the same with server load at 1...
     
  11. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    gzip --- u have any automated backups on? How about having it done manually for interim period to see if that improvse the situation.

    Server freezing ?? could be running out of memory it seems though not too sure.

    Do u have chkrootkit running as cron process? I disabled that and run it manually on my box
    If you have Clamavconnector with scan during FTP, then i think you would want to consider using Anand's version

    Regarding mailque:
    Incorporate Forged HELO/EHLO checks to tighten of SPAMS (50% of all blocked spams are with forged helo/ehlo on my box ... that's a practical experience). This would also reduce the stress due to spamd being overused.

    Use Chirpy's dictionary Attack ACL's

    Block all incoming mails above a score of say 15 or so.

    If on SPAMASSASSIN 3.x, remove all RBL checks if you have it in place except for rfc-ignorant.org perhaps.


    How much of this would be effective would vary from server to server. Just few shots in the dark

    Anup
     
  12. LarryG

    LarryG Member

    Joined:
    Oct 31, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Thanks, I'll try those ideas out and let you know..

    I just updated to cpanel 9.9.8 - now I get a warning about my dns setup wrong.. so I 'click here' to change the nameservers, from the stated 127.0.0.1 and click continue - and I get a place to enter name servers, there is a valid one listed as primary and no secondary. When I put it in, and click next it fails and says I entered no IP and to go back and do it again, I can not get any other response no matter what combination I try... strange. I only have one server so how does clustering work for that?

    LarryG
     
  13. LarryG

    LarryG Member

    Joined:
    Oct 31, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Update... after running the new version of cpanel - it has been running for 3 days with no hangup and we seem to be getting all the spam we missed before ;-)...

    I changed the backup config to just do changes instead of the whole thing.

    and so on we go...

    thanks for the help! I have the anti spam suggestioins to try yet. I'll post when I get it figured out and have some results.

    LarryG
     
  14. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Which version of cPanel do you use?
     
  15. LarryG

    LarryG Member

    Joined:
    Oct 31, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    WHM 9.9.8 cPanel 9.9.8-C66

    I found the backup hard drive space full also.. now can not seem to get ftp access to delete the old data.... keeps rejecting the auth. even tho I just created the account and did not forget the user/password that quick...

    Hmmmmm...

    LarryG
     
  16. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    Where do you configure spamassain, and tell what version your currently running?

    Thank you.
     
  17. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    The "trojan" scan in WHM is worthless. It generates so many false positives that you simply can't rely on it for anything.

    If you really need an automated way to check for rootkits and other evidence of your server being compromised, try rootkithunter. http://rootkit.nl/ -- At least that gets updated regularly and so false positives are minimal so long as you make sure to use the latest version and run rkhunter --update before each scan.

    Keep in mind that as with any such solution, just because a "problem" is detected, that doesn't mean there really IS a problem. It serves as a starting point for an investigation. It's important to try to keep up with the latest security developments so you know what to look for.
     
Loading...

Share This Page