Results 1 to 20 of 20
  1. #1

    I need help to discover who brings my VPS down every single night :( process "nobody"

    Hello,
    I am not keen in such things and therefore I excuse me in advance if I use wrong terms...
    but basically my problem is this:
    I have a vps with cpanel/whm, which goes very well during almost the whole part of the day,
    but only at night, and almost every night --- between midnight and 1am --- I have to reboot it manually because I find it always down, because the memory seem to reach the maximum level (around 1.3 - 1.4GB)
    After reboot, when I go to check "Daily Process Log" menu in WHM I see that a process "nobody" took around 250% and above of % MEM usage.

    After the reboot vps goes well the whole day, till around the midnight after, when it goes down again! For the same problems...
    Unfortunately I am a newbie and I dont know much of security/technical issues... but I am able to access SSH and input commands if required...

    Can you tell me which steps should I take to find out myself what is causing this annoying problem?

    Thanks in advance!

  2. #2
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    What cron tab do you have setup to run between that time? Backups? Maintenance? etc?
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  3. #3
    Quote Originally Posted by mugo View Post
    What cron tab do you have setup to run between that time? Backups? Maintenance? etc?
    hi mugo! thanks for your reply...
    can you tell me how I find out/check if i have this "cron tab"? I dont think I have ever created any...
    In which section do I have to go in whm? or which command do I have to input in the console to possibly find out?

  4. #4
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    You can look under Cpanel, or if you have ssh,
    "crontab -l"

    In Cpanel, it's under Advanced / Cron Jobs. I've never seen a cron interface under WHM directly, but, that's not to say it can't be put there with some customization. Most likely under your Cpanel.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  5. #5
    I mugo, I tried to input it in SSH, because my WHM has too many Cpanel different accounts which I created, and I just can't check every cpanel account... some are given to friends.
    Anyway, this is the ssh output to your command:

    [email protected] [~]# crontab -l
    4,19,34,49 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
    2,58 * * * * /usr/local/bandmin/bandmin
    0 0 * * * /usr/local/bandmin/ipaddrmap
    8 23 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
    */5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1
    30 */4 * * * /usr/bin/test -x /scripts/update_db_cache && /scripts/update_db_cache
    45 */8 * * * /usr/bin/test -x /usr/local/cpanel/bin/optimizefs && /usr/local/cpanel/bin/optimizefs
    19 3 * * * /scripts/upcp
    0 1 * * * /scripts/cpbackup
    35 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check
    30 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1
    15 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1
    0 6 * * * /scripts/exim_tidydb > /dev/null 2>&1
    [email protected] [~]#
    Do you notice anything suspicious there?
    Last edited by nuvolona; 05-04-2011 at 03:32 AM.

  6. #6
    Join Date
    Feb 2006
    Location
    Victoria, Australia
    Posts
    132
    nuvolona,

    Go and install CSF (http://www.configserver.com/cp/csf.html), once installed login to WHM and navigate to the bottom of the page where the plugins are listed and openup CSF, navigate to 'Check Server Security' and resolve each and every issue on there, particularly the 'Check shell limits' this should give you some insight as to how secure/insecure your server really is. It isn't fool proof but it's a start.

  7. #7
    Quote Originally Posted by Dexqt View Post
    nuvolona,

    Go and install CSF (http://www.configserver.com/cp/csf.html), once installed...
    Hello, I am reading installation procedure at http://www.configserver.com/free/csf/install.txt
    If I am not wrong do I have to login to SSH and input only the following commands for install?

    rm -fv csf.tgz
    wget http://www.configserver.com/free/csf.tgz
    tar -xzf csf.tgz
    cd csf
    sh install.sh
    Sorry if I ask always a confirmation but I dont wanna end up to ruin anything...

  8. #8
    I think you might be better asking someone to look into it for you. Ask your provider, they may be able to help you with it.
    Find solution to every problem ---> Google.com

  9. #9
    Quote Originally Posted by Fastian View Post
    I think you might be better asking someone to look into it for you. Ask your provider, they may be able to help you with it.
    But then I will never learn to solve problems myself...

  10. #10
    Join Date
    Feb 2006
    Location
    Victoria, Australia
    Posts
    132
    That's the correct procedure, yes.

  11. #11
    Quote Originally Posted by Dexqt View Post
    That's the correct procedure, yes.
    I have just installed it...

    [email protected] [~/csf]# perl /etc/csf/csftest.pl
    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...FAILED [Error: iptables: Unknown error 4294967295] - Required for PORTFLOOD and PORTKNOCKING features
    Testing ipt_owner/xt_owner...FAILED [Error: iptables: Unknown error 4294967295] - Required for SMTP_BLOCK and UID/GID blocking features
    Testing iptable_nat/ipt_REDIRECT...OK

    RESULT: csf will function on this server but some features will not work due to some missing iptables modules [2]
    [email protected] [~/csf]#
    Do I have to worry about the "FAILED" entries and the "missing iptables modules" in RESULT?
    Last edited by nuvolona; 05-04-2011 at 04:07 AM.

  12. #12
    Join Date
    Feb 2006
    Location
    Victoria, Australia
    Posts
    132
    Those errors indicate that certain modules are missing from the currently loaded kernel, did you compile your own kernel or is this a VPS? if you did then you're going to have to find the missing modules and recompile if it's a VPS then you're probably going to have to contact your provider and have them sort the issue out, or just buy your own dedicated server.

  13. #13
    Join Date
    May 2006
    Location
    New Zealand
    Posts
    6,482
    Thought about running suPHP? Normally PHP runs under the user nobody. By enabling suPHP each PHP process is run under cPanel user.

    You really need to get someone who knows what they are doing to look over your VPS. You could have a user sending out thousands of SPAM emails....
    █ | Brad - Hoopla Hosting - Email or add me to Gtalk! brad [at] hooplahosting.com
    █ | Web Hosting New Zealand - Reseller Hosting - cPanel - Zurmo Hosting - Softaculous - CloudFlare
    █ | VPS - SolusVM - E3-1230 - RAID10 - 1Gbit

  14. #14
    Thanks Hoopla-Brad
    but on my server there are too many ecommerce sites and cms and I wouldnt like to risk to enable a functions (like this suPHP?) which can eventually break some of such sites...
    --------------------------------
    What I really wanted to know

    considering that the time in which "the attack" who brings down my server happens *always* at a certain time (between midnight and 1 AM)

    is if I can do something, maybe already tonight, at that range of time, to be able to find out what is really going on in real-time, and eventually find the IP of the person/system causing my server to consume that huge amount of memory, in order to deny complete access to it.
    ------------------------------
    Last edited by nuvolona; 05-04-2011 at 10:05 AM.

  15. #15
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    0 0 * * * /usr/local/bandmin/ipaddrmap

    0 1 * * * /scripts/cpbackup

    Those are the two culprits I would look at. They match what's going on...the others that are running at that time also run at other times, so probably less suspect. But, there could be other scripts running in tandem, that happen to clash with this.
    Looks like you have a ban on IPs at midnight...are you sure you are not, say, during the day, mis-typing the password more than the allotted max (if that script uses one), and when it runs at midnight, your IP is banned simply because you mis-typed the pass a few times during the last 24 hrs?
    It's almost certainly a cron / timed event, since it happens at the same time every day.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  16. #16
    I remember that last year I have added (with the help of another user) some deny IP rules using iptables, so I banned completely some specific IP ranges from my server, I dont remember which, but I think they were from Lybia or Emirate Arabs. I think you are referring to them, there... maybe its the rule we added, the one you look suspicious at! I remember at that time we input some commands regarding iptables on ssh, but it was a driven procedure, I did not know exactly what i was doing, myself.

    About the server falling off: randomly, there are some days it doesn't happen, for example last saturday I remember that the server didn't go down! Other weeks it doesn't happen in other days... so its not exactly ALWAYS, but lets say... 6 days over 7, yes! Another problem is that in this situation I just can't go to sleep at a normal time because I have to stay up till late time just to check if the server goes down, and immediately restart it, so that I and my friends don't face downtime

    Do you have any suggestion on what I can do maybe tonight in that amount of time? Just an attempt to find out the source?
    Last edited by nuvolona; 05-04-2011 at 10:40 AM.

  17. #17
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    If you are logged in, and this "event' happens, does it kick you out?
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  18. #18
    Quote Originally Posted by mugo View Post
    If you are logged in, and this "event' happens, does it kick you out?
    I dont know.... I never had this wonderful experience yet
    But I suppose that in this case, the server would just be "unresponsive"

    I will see tonight what happens
    Last edited by nuvolona; 05-04-2011 at 02:34 PM.

  19. #19
    Join Date
    Apr 2009
    Location
    whitehouse
    Posts
    656

    Arrow

    suphp won't break anything if the permissions and privileges are correct.
    Quote Originally Posted by nuvolona View Post
    Thanks Hoopla-Brad
    but on my server there are too many ecommerce sites and cms and I wouldnt like to risk to enable a functions (like this suPHP?) which can eventually break some of such sites...
    --------------------------------
    What I really wanted to know

    considering that the time in which "the attack" who brings down my server happens *always* at a certain time (between midnight and 1 AM)

    is if I can do something, maybe already tonight, at that range of time, to be able to find out what is really going on in real-time, and eventually find the IP of the person/system causing my server to consume that huge amount of memory, in order to deny complete access to it.
    ------------------------------
    James B
    EzeeloginSetup your Secure Linux SSH Gateway.
    |Manage & Administer Multiple Linux Servers Quickly & Securely.

  20. #20
    Quote Originally Posted by BarackObama View Post
    suphp won't break anything if the permissions and privileges are correct.
    thanks... I will give suPHP a chance, and will try to enable it.
    hmmm for this I think I need to recompile everything again with easyapache (from WHM) enabling the suPHP option?
    ...or is there any option somewhere to enable it "on the fly"?

Similar Threads

  1. How efficient are topic titles like "BLOWOUT", "SPECIAL" and "KILLER OFFER"?
    By BluewaveHosted in forum Running a Web Hosting Business
    Replies: 18
    Last Post: 06-30-2009, 11:21 AM
  2. For me, "night owl" is an understatement
    By CArmstrong in forum Web Hosting Lounge
    Replies: 24
    Last Post: 07-16-2007, 05:02 PM
  3. how to discover those "nobody" who send mails
    By naguib2000 in forum Hosting Security and Technology
    Replies: 5
    Last Post: 01-11-2005, 11:17 AM
  4. Who watches the CBC "Hockey Night in Canada"?
    By kneuf in forum Web Hosting Lounge
    Replies: 14
    Last Post: 02-24-2004, 07:05 PM
  5. Replies: 17
    Last Post: 11-02-2003, 10:37 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •