The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

what is this ATTACK TYPE?

Discussion in 'Security' started by Bahram0110, Jan 16, 2011.

?

what is this attack type?

  1. DOS

    0 vote(s)
    0.0%
  2. DDOS

    0 vote(s)
    0.0%
  3. hardware issue

    0 vote(s)
    0.0%
  4. software issue

    1 vote(s)
    100.0%
  1. Bahram0110

    Bahram0110 Well-Known Member

    Joined:
    Dec 12, 2007
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Hello all,
    I have a dell server about 9 month:
    xeon x3220
    cpanel
    mysql
    centos
    apache
    php 5.2.16
    csf
    all these softs are updated.
    About 500 accounts are located on it and about 6 to 10 accounts are active. I can say other accounts have no visit really.
    Csf connection limit is 80 and 10 to 20 IPs are blocking per day for 15 mins for "to many connections".80% of IPs are from foreign countries (that there is no visit from them) and they are from different locations.

    Recently my server is going down once at 24 to 72 hrs.

    At that time:
    my sql has more than 150 queries in the queue.
    Server load is going up to 200 or even more.
    Csf send many emails at same time. (Excessive processes running under user..)
    all mails are at same time and alert for different users.
    I also installed PRM (process resource monitor) to limit cpu and ram usage.
    Prm also send many emails at that time with content like this:
    EVENT: HARD FAIL MAX_PROC
    use:135/max:30
    ACTION: KILL_PARENT SET; KILLED
    PARENT/CHILDREN PROCS WITH 'kill
    -9 27192 '
    PPID: 27192
    PID: 3065
    USER: ...
    CPU: 0% (max 15)
    MEM: 0% (max 8)
    ETIME: 0108 (max )
    PROCS: 138 (max 30)
    CMD: /usr/bin/php /home/
    .../public_html/
    filename.php

    PRM mails are also for different users at same time and all accounts have approximately equal PROCS value (about 130 to 200).



    Is this a DDOS Attack?

    Thank you.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    10 to 20 IPs a day is surely not a DDoS attack I wouldn't think.

    You might want to change CSF from temp ban to perm ban. And, check that account a lot closer for issues. If this is all one account, suspend it to protect your server and then inspect it with a fine tooth comb.
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You may want to open up a ticket to have us check into it using WHM > Support Center > Contact cPanel area.

    I'd also suggest possibly installing sys-snap.sh to get the processes running at the time right before the server crash. Here are the steps to install it:

    Code:
    cd ~/
    wget http://sys-snap.techfiles.us/
    chmod +x sys-snap.sh
    nohup ~/sys-snap.sh &
    After installing it and starting it up, it will log to ~/system-snapshot for log files every minute for 60 minutes. When the server crashes, it will quit logging, so the last log will be the one right before the crash.

    Of note, you haven't yet provided any information from /var/log/messages on the time it crashed. It's impossible to know if there's a system hardware or OS-level issue if you haven't viewed /var/log/messages
     
Loading...

Share This Page