The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

syslogd running on a rampage need help please

Discussion in 'General Discussion' started by gighost, Nov 23, 2006.

  1. gighost

    gighost Member

    Joined:
    Aug 15, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I noticed that syslogd is running multiple instances on the server I want to know is there something I can do to slow it down it is using alot of the system resources.

    nobody 8484 52.8 0.1 6184 3556 ? R 05:12 36:00 [syslogd]
    nobody 9386 50.2 0.1 6300 3560 ? R 05:18 31:20 [syslogd]
    nobody 9552 50.5 0.1 6396 3560 ? R 05:18 31:11 [syslogd]
    nobody 10023 47.1 0.1 6924 3560 ? R 05:21 27:57 [syslogd]
    nobody 10141 45.1 0.1 6136 3560 ? R 05:22 26:00 [syslogd]
    nobody 10834 44.2 0.1 6716 3560 ? R 05:27 23:28 [syslogd]
    nobody 11796 42.7 0.1 5388 3560 ? R 05:35 19:09 [syslogd]
    nobody 11856 41.3 0.1 7028 3560 ? R 05:36 18:04 [syslogd]
    nobody 12877 1.6 0.1 7204 3568 ? S 05:44 0:36 [syslogd]
    nobody 14047 1.5 0.1 5884 3548 ? S 05:52 0:25 [syslogd]

    Any ideas would certainly help.

    Thanks in advance
     
  2. oderland

    oderland Well-Known Member
    PartnerNOC

    Joined:
    Dec 30, 2002
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Kungsbacka, Sweden
    we have the same issue. I think it is a irc bot masked to syslogd process. It is running as nobody and are using perl

    lsof could not point out where this one i started from either? Anyone have a clue?
     
  3. Danny_T

    Danny_T Well-Known Member

    Joined:
    Jul 19, 2005
    Messages:
    181
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Netherlands
    Its new indeed, there must be a new exploit in some kind of php application orso...
    It is doing (ddos) attacks.
    Watch your outgoing traffic while its running...
    Several times it attacked here at a outgoing rate of almost 45Mbit/s
    Still figuring out where it comes from because it is coming back after i deleted it.
    Even with the tmp's as noexec mounted.

    Danny.
     
  4. Danny_T

    Danny_T Well-Known Member

    Joined:
    Jul 19, 2005
    Messages:
    181
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Netherlands
    Still a cant figure out why or what.

    Just 30 mins ago it again happens with hundreds of these processes.
    They where ddos attacking this IP:

    206.127.66.113
    113.66.127.206.in-addr.arpa domain name pointer sfpinc.static.MT.net.
    OrgName: Montana Internet Cooperative Association
    OrgID: MIC
    Address: 314 North Last Chance Gulch
    City: Helena
    StateProv: MT
    PostalCode: 59601
    Country: US
    NetRange: 206.127.64.0 - 206.127.127.255

    I blocked this IP in firewall for outgoing traffic.
    But i guess next time (tomorrow i guess) it will be another IP.

    This is a major problem as i cant find any odd things or i do overlook things.
    I know it are perl processses.

    Danny.
     
  5. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
  6. Morgana

    Morgana Active Member

    Joined:
    Jan 16, 2003
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    I have the same problem with a server. There are perl scripts running that are causing high serverlaod and outgoing traffic. I thought maybe it was a phpBB exploit and updated the scripts the newest version, but even if I remove all the processes it comes back.
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Grab yourself a copy of Nobody check, secure system binaries, make tmp and /dev/shm noexec,nosuid and also have a good mod_security ruleset.
     
Loading...

Share This Page