Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server unreachable

Discussion in 'General Discussion' started by Musthafa, Dec 19, 2016.

  1. Musthafa

    Musthafa Member

    Joined:
    Dec 14, 2016
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dubai
    cPanel Access Level:
    Root Administrator
    I was not able to access my server via ssh nor whm but it just pings. I had to contact the service provider and needed a physical reboot. Now I am not able to find the reason. When I checked the top processes on the day in whm there are these three processes consumed more cpu.

    dovecot/imap
    /usr/bin/php /home/amerqavi/public_html/wp-admin/admin-ajax.php
    /usr/local/cpanel/3rdparty/bin/perl /usr/local/cpanel/bin/rebuild_sprites -cponly -quiet

    I checked almost all logs, couldn't find anything suspicious. What might be the reason. I have nagios monitoring enabled on the server. it didnt provided any warning other than normal
     
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    561
    Likes Received:
    40
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    May I know what error message you were getting while access SSH and WHM ?
    Also, Have you enabled cphulk brute force on your server ? If yes then might be there was cphulk brute force attack on your server.
     
  3. Musthafa

    Musthafa Member

    Joined:
    Dec 14, 2016
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dubai
    cPanel Access Level:
    Root Administrator
    I did not get any error message. It tried to load but failed after some time. Yes I have enabled the cphulk bruteforce on the server. How can I confirm if its a bruteforce attack. I think cphulk is to protect from bruteforce??
     
  4. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    561
    Likes Received:
    40
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,
    Try to grep cphulk logs in /var/log/messages file. Use below command.
    Code:
    cat /var/log/messages | grep cphulk
    
     
  5. Musthafa

    Musthafa Member

    Joined:
    Dec 14, 2016
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dubai
    cPanel Access Level:
    Root Administrator
    Hi,

    It happened again just few minutes back and I had to reboot it again.
    There is no logs related to cphulk. The above command returns nothing. When I checked the top processes that ran today I found this, This came from nowhere. I killed all the processes from dovenull user today morning and restarted dovecot, but it came again.

    11955 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login
    11956 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login
    11957 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login
    11958 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login
    11959 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login
    11960 (config) /usr/libexec/dovecot/config /var/run/dovecot dovecot/config
    11961 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login
    11962 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login
    11963 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login
    11964 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login
    11965 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login
    11966 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login
    11967 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login
    11968 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login
    11969 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login
    11970 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login
    11971 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login
     
  6. Musthafa

    Musthafa Member

    Joined:
    Dec 14, 2016
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dubai
    cPanel Access Level:
    Root Administrator
    Hi,
    I got this error log in cphulkd_error.log


    [2016-12-19 06:08:53 -0500] info [cphulkd] 5315 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe
    [2016-12-19 06:08:53 -0500] info [cphulkd] 5316 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe
    [2016-12-19 06:08:54 -0500] info [cphulkd] 5384 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe
    [2016-12-19 06:08:54 -0500] info [cphulkd] 5385 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe
    [2016-12-19 06:09:13 -0500] info [cphulkd] 5317 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe
    [2016-12-19 06:09:13 -0500] info [cphulkd] 5386 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe
    [2016-12-19 06:09:13 -0500] info [cphulkd] 5387 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe
    [2016-12-19 06:09:18 -0500] info [cphulkd] 5435 The system encountered an error while processing a request: (XID 2vpw85) Broken pipe
    [2016-12-19 06:09:19 -0500] info [cphulkd] 5464 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Do you notice any output to /var/log/messages or /var/log/dmesg just before the time at which the system stopped responding?

    Thank you.
     
  8. Musthafa

    Musthafa Member

    Joined:
    Dec 14, 2016
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dubai
    cPanel Access Level:
    Root Administrator
    Hi,

    Sorry for the late reply.
    Nothing unsual, But when I checked the accesslog of webserver, i found too much hits from a particular ip, seems to be a seo bot and its ip found in the blacklists. I blocked the ip. When I checked further, i found this 'bing.com/bingbot.htm' also hitting on the server frequently. Should I block all those ips?
     
  9. Musthafa

    Musthafa Member

    Joined:
    Dec 14, 2016
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dubai
    cPanel Access Level:
    Root Administrator
    And also I have this large number of /dovecot/pop3-login process from user 'dovenull' running in my server even after killing them all

    27369 (Trace) (Kill) dovenull 0 0.00 0.08 dovecot/imap-login
    27370 (Trace) (Kill) dovenull 0 0.00 0.08 dovecot/imap-login
    27371 (Trace) (Kill) dovenull 0 0.00 0.08 dovecot/pop3-login
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Musthafa,

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here and we will update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page