Results 1 to 27 of 27
  1. #1

    Emergency Server Question - Please help!

    For the past few hours my cPanel server has been running very slow. Its a dual xeon with 1 gigabyte of RAM.

    Durning forth period I was surfing the web in class, when I saw a new email come in from logwatch about a load issue. Then I checked WHM and its been very slow since then. A guy from class suggested I run 'top' and the screenshot bellow is what it shows.

    What is this spammer.php? Is it part of cPanel's spam protection? It seems to be taking up all of my server, how can I stop it? I only have 212 sites in WHM but they never have used this much!


    Please help me ASAP!!!!
    Attached Thumbnails Attached Thumbnails server.jpg  

  2. #2

    Re: Emergency Server Question - Please help!

    Originally posted by BadAHost
    For the past few hours my cPanel server has been running very slow. Its a dual xeon with 1 gigabyte of RAM.

    Durning forth period I was surfing the web in class, when I saw a new email come in from logwatch about a load issue. Then I checked WHM and its been very slow since then. A guy from class suggested I run 'top' and the screenshot bellow is what it shows.

    What is this spammer.php? Is it part of cPanel's spam protection? It seems to be taking up all of my server, how can I stop it? I only have 212 sites in WHM but they never have used this much!


    Please help me ASAP!!!!
    I know this dood that can fix it. His Dad has an awesone set of tools!
    Glenn
    Don't you walk thru my words
    You got to show some respect
    Don't you walk thru my words
    'Cause you ain't heard me out yet

  3. #3
    Join Date
    Oct 2001
    Location
    Ohio
    Posts
    8,299
    No spammer.php isn't part of cpanel. It's someone sending spam from your server. Login as root and do;

    "find -name spammer.php"

    Then terminate the account.

  4. #4
    Join Date
    Jul 2003
    Location
    rowland hts, california
    Posts
    791
    Instead of terminate the account, definetly suspend it, then fine the user! ( if your TOS allows )
    josh

  5. #5
    [[email protected] /]$ find -name spammer.php
    /var/spool/mqueue/.../x/scripts/spammer.php


    Why does it say root when it shows the list in top? Is that bad?

  6. #6
    Originally posted by BadAHost
    [[email protected] /]$ find -name spammer.php
    /var/spool/mqueue/.../x/scripts/spammer.php


    Why does it say root when it shows the list in top? Is that bad?
    Fire your Admin, he must suck. That dood I know.... has a really cool hammer. Shout if ya need it.
    Glenn
    Don't you walk thru my words
    You got to show some respect
    Don't you walk thru my words
    'Cause you ain't heard me out yet

  7. #7
    Join Date
    Jan 2003
    Location
    Montreal
    Posts
    1,375
    killall -9 spammer.php

    Do that.
    Charles Beliveau | NymixWeb.com
    Proven success since 2001!

  8. #8
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    I second that

    Change your passwords right after with 'passwd'

    Then, get a security expert on your computer ASAP, since spammer.php is running as root, which means they probably rooted or exploited you.
    Dan Sheppard ~ Freelance whatever

  9. #9
    [[email protected] /]$ killall -9 spammer.php
    spammer.php(31318): Operation not permitted
    spammer.php(31278): Operation not permitted
    spammer.php(31327): Operation not permitted
    spammer.php(31326): Operation not permitted
    spammer.php(31312): Operation not permitted
    spammer.php(31245): Operation not permitted
    spammer.php(31858): Operation not permitted
    spammer.php(32128): Operation not permitted
    spammer.php(31698): Operation not permitted
    spammer.php(31311): Operation not permitted
    spammer.php: no process killed
    [[email protected] /]$


    It was very long so I just grabbed of the start and end.. Whats do I do now!!!!!!

  10. #10
    Join Date
    Jul 2003
    Location
    Satyr, Chrisalya, Canada
    Posts
    1,901
    First, change your root password.
    --

  11. #11
    Join Date
    Jan 2003
    Location
    Montreal
    Posts
    1,375
    That's odd. You're running a EV1 box as I see.

    Change your root password and reboot your server.
    Charles Beliveau | NymixWeb.com
    Proven success since 2001!

  12. #12
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    Er. To expand on that. Also change your admin password. Setup secure SU -, and remove everyone except your "admin" user from the wheel group. If it is possible, get the DC to remove the computer, and pop in a new system. and mounting the older drive so you can grab your customer or personel files.
    Dan Sheppard ~ Freelance whatever

  13. #13
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    su - into root. You probably can't kill the process because you are running as a regular user.
    Dan Sheppard ~ Freelance whatever

  14. #14
    Originally posted by BadAHost
    [[email protected] /]$ killall -9 spammer.php
    spammer.php(31318): Operation not permitted
    spammer.php(31278): Operation not permitted
    spammer.php(31327): Operation not permitted
    spammer.php(31326): Operation not permitted
    spammer.php(31312): Operation not permitted
    spammer.php(31245): Operation not permitted
    spammer.php(31858): Operation not permitted
    spammer.php(32128): Operation not permitted
    spammer.php(31698): Operation not permitted
    spammer.php(31311): Operation not permitted
    spammer.php: no process killed
    [[email protected] /]$


    It was very long so I just grabbed of the start and end.. Whats do I do now!!!!!!
    Hmmmmm. BadAHost, I guess you just need to throw that server away, get a new one. It looks like an EV1 dual xeon. Time to upgrade. A PII should do..... duals if ya wanna be kewl. Be sure to get a real Admin this time. Stay away from those "in-house" Admins.....

  15. #15
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    I am gonna get this moved to Sec/Tech too. More appropriate, if that is alright...
    Dan Sheppard ~ Freelance whatever

  16. #16
    load average: 187.01, 183.26, 163.82

    It keeps getting worse!!!!

    [[email protected] /]$ passwd
    Changing password for user root.
    New password:
    passwd: Authentication token manipulation error
    [[email protected] / ]$

  17. #17
    Join Date
    Jul 2003
    Location
    Satyr, Chrisalya, Canada
    Posts
    1,901
    Get a managed box from SM or Nocster.
    --

  18. #18
    Originally posted by MStar
    Get a managed box from SM or Nocster.
    Admins like that? No... keep them at EV1 or Nocster.

  19. #19
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    BadAHost: Submit a Reboot TT with EV1...
    Dan Sheppard ~ Freelance whatever

  20. #20
    Or try the IRC or Live Chat gizmo.

  21. #21
    Join Date
    Jul 2003
    Location
    rowland hts, california
    Posts
    791
    Doesn't look like a good day for BadAHost
    josh

  22. #22
    Join Date
    Jul 2003
    Location
    Satyr, Chrisalya, Canada
    Posts
    1,901
    Quit sending out so much mail
    --

  23. #23
    Join Date
    Feb 2004
    Posts
    78
    Before you enter killall -9 spammer.php do
    su -
    enter your root password then run the command,

  24. #24
    Join Date
    Aug 2002
    Location
    DC
    Posts
    3,635
    If I were you, I'd stop hanging around WHT looking for an answer & go hire a server admin ASAP... another example of somebody running a server that shouldn't be

    - Matt

  25. #25
    Join Date
    Feb 2004
    Posts
    78
    well, if you are hosting with EV1, open up their live support or call them. Trouble Tickets don't work so well...

  26. #26
    Join Date
    Aug 2002
    Location
    DC
    Posts
    3,635
    Originally posted by maniplus
    well, if you are hosting with EV1, open up their live support or call them. Trouble Tickets don't work so well...
    EV1 won't help on this stuff, they're unmanaged.

    - Matt

  27. #27
    Join Date
    Feb 2004
    Posts
    78
    EV1 won't help on this stuff, they're unmanaged.

    - Matt
    actually, it depends on how you ask them, I had problems with my nameservers, and had one of their live people :-) login to WHM and fix it for me....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •