Hi friends,

I don't know that much about servers and I just started with my first server almost 1 year ago.

for 2 months, apache, exim and cpsrvd are failing daily and then restart automagically. I start to get the statscheck mails to check for the cause of the high load.

with top command, i found that
httpd, exim and mysql are usually using 99.9 of the CPU causing the load to go to 20, 40 or even 50 ranges.

when I kill them. They will restart automatically as it seems.
Good load appears for few minutes before going again to high values.

How I can determine excally which process is causing httpd, exim and mysql to take high CPU resources?

Thanks a lot in advance.

If you are using WHM switch off the other two services in the service manager. Then kill the processes and see what the other process does. Repeat it as long as you find out which service is causing the problem. Also look at the Apache status link in WHM to find out which script/site is causing the high load. Have a look at your mailing queue to find out if there is a spammer on your server causing the load etc.

Look at your apache status page and see if it is an apache request(s) causing the issue, post a 'top' screen here.

Most important would be to find a reliable server admin to look into your issue for you.

Do you have alot of processes owned by the user "NoBody" when you do a TOP? Also do you have any files in your /tmp folder that shouldn't be there?

Hi friends

Unfortuently, I am caming back :(

Last time, I contacted the server provider (SM)
and after sometime they replayed saying that they can't see
any thing that could cause high load rather than normal load of the sites!!

However, the problem was disappeared and the server became
a lot better.

1 week back, the situation returned back and even worst.
I didn't accept any more sites and most of the sites are totally small in size/visits

I remebered once they asked me to accept reinstalling the OS as was there somebody that can affect the server.

Here I will include the top screen that I get now.
Can any body help
please

I had a look at your top screenshot and it indicates three possible reasons for the problem:

1. MySQL is very busy. If you have WHM/Cpanel log in to WHM and scroll down to MySQL in the menu on the left. Then click on "Show MySQL processes". Have a look at this and you will probably see which user is causing the high load if it is related to MySQL. If you want post a screen shot here and I will have a look at it.

2. I see a large amount of processes running. This could be a DDoS synflood attack against your Apache server. Log in to SSH as root and type:
netstat -na |grep :80 |sort
If you are seeing a large amount of connections from a similar or the same IP you can block the IP using IP tables:

To block 111.222.111.222 for example enter:
iptables -I INPUT -i eth0 -p tcp --dport 80 -s 111.222.111.222 -j DROP

To block any IP that starts with 111 type:
iptables -I INPUT -i eth0 -p tcp --dport 80 -s 111.0.0.0/8 -j DROP

To block all IPs that begin with 111.222 type:
iptables -I INPUT -i eth0 -p tcp --dport 80 -s 111.222.0.0/16 -j DROP

and so on...

To unblock all IPs type:
iptables -I INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

If you can't figure it out let Netstat post into a file and post the file here.
To do this enter:
netstat -na |grep :80 |sort >netstat.txt
Then download the netstat.txt file and post it here.

Additionally log in to WHM and click on "Apache Status". Save the file to your disk. Then post it here.

3. EDIT: I just found something else: There are some mailman processes running. These can take a server down. Have a look at your Exim mailing queue (you can access it from WHM "Manage mailing queue link"). However, I do not think Mailman is causing the problem because if it was you would see some exim processes running. I think the problem is related to MySQL. I guess someone is setting up a remote connection to MySQL and hosts a large MySQL db...

Hi thomas.smith,

I really appretiate your replay for the 2nd time for my problem.
It was helpful.
Thanks a lot friend.


Today I got an email from one of the sites I host.
It was about the server being totally bad.

With top command, I got a teriable load --> 160

http://llkl.net/19-3-2005.gif

I restarted the sever.
I also changes some settings in email (preventing nobody+unckeck mailman)
Suddenly and for about an hour the load is about 4
Which still a lot better than before.

The mysql processes I found where few (I did that after the restart)

+------+---------------+-----------+-------------+---------+------+-------+------------------+
| Id | User | Host | db | Command | Time | State | Info |
+------+---------------+-----------+-------------+---------+------+-------+------------------+
| 250 | eximstats | localhost | eximstats | Sleep | 138 | | |
| 835 | eximstats | localhost | eximstats | Sleep | 352 | | |
| 883 | persian_forum | localhost | persian_vbb | Sleep | 274 | | |
| 1026 | persian_forum | localhost | persian_vbb | Sleep | 0 | | |
| 1027 | root | localhost | | Query | 0 | | show processlist |
+------+---------------+-----------+-------------+---------+------+-------+------------------+

The mail queue is totally high
mails in queue !!!!!!

I can't find where to find the domain,
but I think my server is used for spam :(

This is one of the emails
where xyz = my domain


1CWrzk-0003sR-OT-H
mailnull 47 12
<>
1101282920 0
-ident mailnull
-received_protocol local
-body_linecount 64
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1101358083
-localerror
XX
1
sfuedvozxlebtr@girlslife.com

156P Received: from mailnull by alain.xyz.com with local (Exim 4.43)
id 1CWrzk-0003sR-OT
for sfuedvozxlebtr@girlslife.com; Wed, 24 Nov 2004 01:55:20 -0600
047 X-Failed-Recipients: llkm@alain.xyz.com
031 Auto-Submitted: auto-generated
061F From: Mail Delivery System <Mailer-Daemon@alain.xyz.com>
033T To: sfuedvozxlebtr@girlslife.com
059 Subject: Mail delivery failed: returning message to sender
050I Message-Id: <E1CWrzk-0003sR-OT@alain.xyz.com>
038 Date: Wed, 24 Nov 2004 01:55:20 -0600


1CWrzk-0003sR-OT-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

llklcom@alain.tophttp.com
(generated from kenney@llkl.com)
Disk quota exceeded:
mailbox is full: retry timeout exceeded

------ This is a copy of the message, including all the headers. ------

Return-path: <sfuedvozxlebtr@girlslife.com>
Received: from [211.200.199.145] (helo=69.56.201.3)
by alain.tophttp.com with smtp (Exim 4.43)
id 1CWrzj-0003oQ-UN; Wed, 24 Nov 2004 01:55:20 -0600
Message-ID: <rSGP9.aZStMyJkO@graffiti.net>
To: kenney@llkl.com
From: "Amos Avery" <sfuedvozxlebtr@girlslife.com>
Subject: Finest online medication here
Date: Wed, 24 Nov 2004 00:52:28 -0700
Content-Type: text/html; charset=us-ascii
Mime-Version: 1.0

<html>
<head>
<title>eater</title>
</head>
<body>
<center>
<font face="Verdana">
hobbes botany disyllable lome malevolent
<br>
<br>
<br>
<br>
<h3>Get ANY prescription drug you want!</h3>
<p>Absolutely No Doctor's Appointments Needed!
<br>
<br>
<br>
<br>
<b>
<a href="http://www.monitor9dumbstruck.com/?sa=MWXG6731&sdfg=0&la=5lv&af=nlnM">Lowest prices on brand name and generic drvgs!</a>
</b>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Stop getting promotional material <a href="http://www.removable4duties.com">here</a><br>
<br>
cacophonist implore seam embeddable counterargument rainstorm clement
<br>
<br>
</p>
</font>
</center>
</body>
</html>


Is these additional information helpful?
I am worried that the crazy will return back as the cause is not yet known for me?

Please help friends

Now I am seeing two things: Exim and MySQL maxed out. Exim is most likely maxed due to a mailman mailing list and MySQL...difficult to say. A load of 4 is still very high. On a single CPU it should be around 1.

If you want give me access (send me a PM) and I'll have a look.

How many messages do you have on your queue ? Do they all refer to that same addresses ?

hi thomas.smith,

Thanks for your fast replay.
I just edited my post to complete it.

I will pm you now

Do you have ICQ ? I think we should chat so I can check back with you on what to do...

Try adding some more ram, you seem to be using alot of swap.

We got to chat...

Go to the exim configuration editor in WHM, switch to advanced mode, and paste the following in the first box:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
That will help you find where the emails are coming from (what script).

- Matt

I know what is causing the problem... We just need to chat...

Hi thomas.smith,

I have msn messenger.
Is that ok?

Originally posted by mainarea
Go to the exim configuration editor in WHM, switch to advanced mode, and paste the following in the first box:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
That will help you find where the emails are coming from (what script).

- Matt


I did.
Thanks a lot mainarea

I think the affect will appear with any new email, true?
I will wait to know from where I got that spam

thanks again mainarea

I did install MSN, what's you nick ?

You got 385.000 emails on your queue... That is the problem.

I did add you to MSN but you seem to be offline...

Are you still around. We just need to chat. There are various big problems that should be fixed very quickly !! Especially someone is stealing your bandwidth and your Exim is not configured correctly. I can solve the prob but we should chat.

Please check your PM. I sent you an address to a chat room.

I should give a very big thanks to

(((((((((((((((thomas.smith)))))))))))))))))


He is one of the best around.
He was able to configure my problem and to solve it.

The load went down to around 0.5 after it was over 180

The server providers said that that the server looks normal
and that is the normal load!!!!!!!

Thanks again thomas.smith.
You are one of the best




---------------------------------------




BTW,
I still have a bad customer in my server that is sending spam.
I can read the emails from the queue
But I can't find from which account or even the file on the server
that is used.

Any help will be totally appreciated.


Thanks for all