Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

syslogd running on a rampage need help please

Discussion in 'General Discussion' started by gighost, Nov 23, 2006.

  1. gighost

    gighost Member

    Joined:
    Aug 15, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    I noticed that syslogd is running multiple instances on the server I want to know is there something I can do to slow it down it is using alot of the system resources.

    nobody 8484 52.8 0.1 6184 3556 ? R 05:12 36:00 [syslogd]
    nobody 9386 50.2 0.1 6300 3560 ? R 05:18 31:20 [syslogd]
    nobody 9552 50.5 0.1 6396 3560 ? R 05:18 31:11 [syslogd]
    nobody 10023 47.1 0.1 6924 3560 ? R 05:21 27:57 [syslogd]
    nobody 10141 45.1 0.1 6136 3560 ? R 05:22 26:00 [syslogd]
    nobody 10834 44.2 0.1 6716 3560 ? R 05:27 23:28 [syslogd]
    nobody 11796 42.7 0.1 5388 3560 ? R 05:35 19:09 [syslogd]
    nobody 11856 41.3 0.1 7028 3560 ? R 05:36 18:04 [syslogd]
    nobody 12877 1.6 0.1 7204 3568 ? S 05:44 0:36 [syslogd]
    nobody 14047 1.5 0.1 5884 3548 ? S 05:52 0:25 [syslogd]

    Any ideas would certainly help.

    Thanks in advance
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. oderland

    oderland Well-Known Member
    PartnerNOC

    Joined:
    Dec 30, 2002
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Kungsbacka, Sweden
    we have the same issue. I think it is a irc bot masked to syslogd process. It is running as nobody and are using perl

    lsof could not point out where this one i started from either? Anyone have a clue?
     
  3. Danny_T

    Danny_T Well-Known Member

    Joined:
    Jul 19, 2005
    Messages:
    181
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Netherlands
    Its new indeed, there must be a new exploit in some kind of php application orso...
    It is doing (ddos) attacks.
    Watch your outgoing traffic while its running...
    Several times it attacked here at a outgoing rate of almost 45Mbit/s
    Still figuring out where it comes from because it is coming back after i deleted it.
    Even with the tmp's as noexec mounted.

    Danny.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Danny_T

    Danny_T Well-Known Member

    Joined:
    Jul 19, 2005
    Messages:
    181
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Netherlands
    Still a cant figure out why or what.

    Just 30 mins ago it again happens with hundreds of these processes.
    They where ddos attacking this IP:

    206.127.66.113
    113.66.127.206.in-addr.arpa domain name pointer sfpinc.static.MT.net.
    OrgName: Montana Internet Cooperative Association
    OrgID: MIC
    Address: 314 North Last Chance Gulch
    City: Helena
    StateProv: MT
    PostalCode: 59601
    Country: US
    NetRange: 206.127.64.0 - 206.127.127.255

    I blocked this IP in firewall for outgoing traffic.
    But i guess next time (tomorrow i guess) it will be another IP.

    This is a major problem as i cant find any odd things or i do overlook things.
    I know it are perl processses.

    Danny.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    INDIA
  6. Morgana

    Morgana Active Member

    Joined:
    Jan 16, 2003
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    151
    I have the same problem with a server. There are perl scripts running that are causing high serverlaod and outgoing traffic. I thought maybe it was a phpBB exploit and updated the scripts the newest version, but even if I remove all the processes it comes back.
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    Grab yourself a copy of Nobody check, secure system binaries, make tmp and /dev/shm noexec,nosuid and also have a good mod_security ruleset.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice