The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Urgent Pure-FTPD virus or bug/hack ?

Discussion in 'General Discussion' started by claudio, Oct 30, 2007.

  1. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    dear friends

    i have a cpanel 11 server with perl 5.8.8 and i realise that since a couple of weeks ago server is losting it's connection i mean it still responding to ping but apache, cpanel, and all other services seem to be frozen

    server was complete low cpu usage and memory the time this frozen thing happened so it was not overloaded or something

    today i was looking my email everything was fine then from nothing it got frozen

    looking at the message and other log files i found this:

    Oct 30 04:39:32 main kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=201.6.17.169 D$
    Oct 30 04:39:44 main kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=201.6.17.169 D$
    Oct 30 04:39:47 main kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=201.6.17.169 D$
    Oct 30 04:39:53 main kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=201.6.17.169 D$
    Oct 30 04:41:50 main named[1697]: lame server resolving '161.169.42.59.broad.gz.gd.dynamic.163data.com.cn' (in '163data.com.$
    Oct 30 04:45:08 main named[1697]: lame server resolving 'brennschneiden.de' (in 'brennschneiden.de'?): 212.21.161.64#53
    Oct 30 04:45:08 main named[1697]: lame server resolving 'brennschneiden.de' (in 'brennschneiden.de'?): 212.91.231.34#53


    Oct 30 04:45:12 main pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Oct 30 04:45:12 main pure-ftpd: (?@127.0.0.1) [INFO] Logout.

    then i rebooted the server and it got online again


    i realise that two last lines from pure-ftpd in more than one of this frozen events as the last lines from /var/logs/messages

    so i am suspecting it is related to some strange with pure-ftp ?

    please help with your opinions

    regards
    Claudio
     
  2. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    it seems that this instance of messages log is normal

    Oct 30 04:45:12 main pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Oct 30 04:45:12 main pure-ftpd: (?@127.0.0.1) [INFO] Logout.

    as it happened another times also befor an idle time succeded by another connection , anyone know this?

    but this event occured two times just before the server got frozen...

    please anyone has some ideia? this shouldn't be something never happen before...
     
  3. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    could this frozen cpu issue be kernels fault?
     
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    that's most likely chkservd :)
     
  5. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    sure, thanks this helps a lot

    but this frozen issue i mean server sometimes stops working do you think it is such as kernel problem, or some smtp virus signature ?

    i tested with and without clamav and it happened in both cases...
     
  6. teknowebworks

    teknowebworks Active Member

    Joined:
    Mar 9, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    It has to be some sort of bug, I had the same problem this morning, system went completly frozen.



    Nov 2 03:17:31 cpanel01 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Nov 2 03:17:31 cpanel01 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Nov 2 03:21:05 cpanel01 kernel: NETDEV WATCHDOG: eth0: transmit timed out
    Nov 2 03:21:05 cpanel01 kernel: tg3: eth0: transmit timed out, resetting
    Nov 2 03:21:05 cpanel01 kernel: tg3: tg3_stop_block timed out, ofs=4c00 enable_bit=2
    Nov 2 03:21:05 cpanel01 kernel: tg3: eth0: Link is down.
    Nov 2 03:21:07 cpanel01 kernel: tg3: eth0: Link is up at 10 Mbps, full duplex.
    Nov 2 03:21:07 cpanel01 kernel: tg3: eth0: Flow control is off for TX and off for RX.
    Nov 2 03:25:56 cpanel01 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Nov 2 03:25:56 cpanel01 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
     
  7. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    it happened again today in my log i found this:

    Oct 26 00:02:17 main pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Oct 26 00:02:17 main pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Oct 26 00:02:17 main named[1698]: lame server resolving '105.40.34.189.in-addr.arpa' (in '40.34.189.in-addr.arpa'?): 201.6.0$
    Oct 26 00:02:18 main named[1698]: lame server resolving '105.40.34.189.in-addr.arpa' (in '40.34.189.in-addr.arpa'?): 201.6.0$
    Oct 26 00:02:20 main named[1698]: lame server resolving '105.40.34.189.in-addr.arpa' (in '40.34.189.in-addr.arpa'?): 201.6.0$
    Oct 26 00:02:20 main named[1698]: lame server resolving '105.40.34.189.in-addr.arpa' (in '40.34.189.in-addr.arpa'?): 201.6.0$
    Oct 26 00:02:25 main named[1698]: lame server resolving '105.40.34.189.in-addr.arpa' (in '40.34.189.in-addr.arpa'?): 201.6.0$
    Oct 26 00:02:25 main named[1698]: lame server resolving '105.40.34.189.in-addr.arpa' (in '40.34.189.in-addr.arpa'?): 201.6.0$
    Oct 26 00:02:25 main named[1698]: lame server resolving '105.40.34.189.in-addr.arpa' (in '40.34.189.in-addr.arpa'?): 201.6.0$

    Or This:

    Oct 30 04:39:32 main kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=201.6.17.169 D$
    Oct 30 04:39:44 main kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=201.6.17.169 D$
    Oct 30 04:39:47 main kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=201.6.17.169 D$
    Oct 30 04:39:53 main kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=201.6.17.169 D$
    Oct 30 04:41:50 main named[1697]: lame server resolving '161.169.42.59.broad.gz.gd.dynamic.163data.com.cn' (in '163data.com.$
    Oct 30 04:45:08 main named[1697]: lame server resolving 'brennschneiden.de' (in 'brennschneiden.de'?): 212.21.161.64#53
    Oct 30 04:45:08 main named[1697]: lame server resolving 'brennschneiden.de' (in 'brennschneiden.de'?): 212.91.231.34#53


    Oct 30 04:45:12 main pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Oct 30 04:45:12 main pure-ftpd: (?@127.0.0.1) [INFO] Logout.

    Or today this:

    Nov 4 01:13:35 main pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Nov 4 01:13:35 main pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Nov 4 01:16:39 main kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=72.198.37.108 $
    Nov 4 01:16:45 main kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=72.198.37.108 $
    Nov 4 01:16:45 main kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=72.198.37.108 $
    Nov 4 01:17:54 main kernel: ** SSH ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=211.157.109.37 DST=72.$
    Nov 4 01:17:54 main kernel: ** SSH ** IN=eth0 OUT= MAC=00:03:47:e3:47:e8:00:0d:bc:1a:73:7f:08:00 SRC=211.157.109.37 DST=72.$

    then server got frozen again

    also i remember i had a server that usually lost its full duplex connection then sever got slow in the upstream link and i used to type /sbin/mii-tool to correct this issue mii-tool with some extra parameters, then after a couple of times the DataCenter solve the issue in their routers i guess and i never used the mii-tool again...

    i will ask then to see if this has something related with this issue too

    any clues?
     
    #7 claudio, Nov 4, 2007
    Last edited: Nov 4, 2007
  8. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    when you say it freezes .do you have to reboot to get it back? or does it come back on it's own?
     
  9. teknowebworks

    teknowebworks Active Member

    Joined:
    Mar 9, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    my server became unpingable and crashed. had to get a reboot ticket against it.
     
  10. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    i have to reboot at the reboot console from the DataCenters control panel and it came back normal, it doesnt come back again when it freezes it needs a reboot

    today a Level2 tech check the server and said he had discovered nothing...

    well it is hard to determine the cause if it happens again i will move some customers, ask the datacenter to switch the DDR RAM or to check the rack and network

    nothing suspicious at the server at all low traffic, perl, kernel, cpanel, everything upgraded, etc

    dude thanks for your help i really appreciate your word and if someone else has some ideia of what might be going on please tell us

    Claudio
     
  11. sarhosting

    sarhosting Well-Known Member

    Joined:
    Oct 1, 2007
    Messages:
    164
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Twitter:
    Run a memory check, check for bad sectors in the hard drive, as your DC to check your CPU Temperature - whats the load like when the server dies?
     
  12. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    i dont know how can i check the temperture throught ssh ? and memory?

    i know i can use checkdisk to verify the HD...

    well surelly i will ask all of this especially if the issue happen again as it is going until now

    thanks
    Claudio
     
  13. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    see if you can get a console or KVM screen running and check the screen after this happens again.

    also i have read and head a few cases of drives spinning down ..but not being able to ping the machien at all is odd. normally even a crashing server that won't respond to anything else will atleast ping.
     
  14. budway

    budway Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    This looks like a dos problem.

    Mostlikely from attack's (check/update your mod-security setup/config) (ie. WEB "EX").

    If you are having security problem I suggest hire a manage team (at least till you can learn).
     
    #14 budway, Nov 4, 2007
    Last edited: Nov 4, 2007
  15. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    in fact when the server got frozen it was able to ping domains and ips from that server

    just apache, cpanel, ssh, everything looks like freeze but in fact it does still pinging...

    do you think is this drives spinning down ?
     
  16. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Hi i also suspect something like a attack but our MTRG shows a very low traffic and i grep all logs and nothing was beyond normal levels... around a inbound and outgoing traffic less than 200kbits almost nothing...
     
  17. budway

    budway Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    MTRG will not show all dos attacks, a dos attacks can be from the machine to the machine just to cause problems.

    I would check your logs for attacks performed.

    Good luck.
     
  18. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Also check the number of connections per IP connecting to the FTP service.
    It's possible they might be trying to brute force some FTP accounts.
     
  19. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    i discovered something may be the cause of the issue or indicated

    it happened last friday and today also

    my DC checked ram, server fans, harddisk, rack, routers and found nothing

    there is no evidence of attack such as other users from this board had in their ftp severs

    but today i realise that all services stop loggin, for instance:

    cron.log
    exim_mainlog
    messages
    error_log

    all of the above are stoped during the lock up event

    but CHKSERVD.LOG keeps logging during the system lock up

    it in my opinion indicates that

    or server lost it connections to internet and chkservd as an independet service continues logging because it doesnt need an input from internet to write the log such as exim_mainlog needs (but in this case shouldnt cron.log continues logging as it is also independent from external inputs?)

    or also it shows that in the sever had a memory leak due to chkservd ?

    i disabled chkservd for a while to see if helps

    well i think that we will finally discover this issue

    Thanks
    Claudio
     
Loading...

Share This Page