Results 1 to 20 of 20
  1. #1

    Ah I think my server has been attacked today!!!

    Please help me!
    One hour ago my server was very slow and users couldn't load pages.

    Now there are some new processes I don't know.

    Here is the list of my processes: Any dangerous things?

    Tasks: 104 total, 1 running, 102 sleeping, 0 stopped, 1 zombie
    Cpu(s): 5.4% us, 1.3% sy, 0.0% ni, 93.2% id, 0.0% wa, 0.0% hi, 0.0% si
    Mem: 2068144k total, 1875128k used, 193016k free, 19348k buffers
    Swap: 2048276k total, 0k used, 2048276k free, 1541388k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    1 root 16 0 588 240 444 S 0.0 0.0 0:06.97 init
    2 root RT 0 0 0 0 S 0.0 0.0 0:01.12 migration/0
    3 root 34 19 0 0 0 S 0.0 0.0 0:00.08 ksoftirqd/0
    4 root RT 0 0 0 0 S 0.0 0.0 0:00.79 migration/1
    5 root 34 19 0 0 0 S 0.0 0.0 0:00.07 ksoftirqd/1
    6 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 events/0
    7 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 events/1
    8 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 khelper
    9 root 5 -10 0 0 0 S 0.0 0.0 0:10.31 kblockd/0
    10 root 5 -10 0 0 0 S 0.0 0.0 0:06.47 kblockd/1
    12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pdflush
    11 root 15 0 0 0 0 S 0.0 0.0 0:00.00 kirqd
    13 root 15 0 0 0 0 S 0.0 0.0 1:38.47 pdflush
    14 root 25 0 0 0 0 S 0.0 0.0 0:01.39 kswapd0
    15 root 6 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
    16 root 7 -10 0 0 0 S 0.0 0.0 0:00.00 aio/1
    17 root 5 -10 0 0 0 S 0.0 0.0 0:34.24 xfslogd/0
    18 root 8 -10 0 0 0 S 0.0 0.0 0:00.00 xfslogd/1
    19 root 8 -10 0 0 0 S 0.0 0.0 0:00.00 xfsdatad/0
    20 root 11 -10 0 0 0 S 0.0 0.0 0:00.00 xfsdatad/1
    21 root 15 0 0 0 0 S 0.0 0.0 0:00.02 xfsbufd
    22 root 25 0 0 0 0 S 0.0 0.0 0:00.20 kseriod
    23 root 6 -10 0 0 0 S 0.0 0.0 0:00.00 ata/0
    24 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 ata/1
    25 root 15 0 0 0 0 S 0.0 0.0 0:01.79 kjournald
    122 root 15 0 0 0 0 S 0.0 0.0 0:00.00 xfssyncd
    123 root 15 0 0 0 0 S 0.0 0.0 0:02.61 xfssyncd
    124 root 15 0 0 0 0 S 0.0 0.0 0:00.05 xfssyncd
    615 root 16 0 1396 552 1224 S 0.0 0.0 0:00.00 dhcpcd
    685 root 16 0 1424 608 1252 S 0.0 0.0 3:40.42 syslogd
    688 root 16 0 2372 1608 1204 S 0.0 0.1 0:00.13 klogd
    715 root 17 0 4960 1820 4324 S 0.0 0.1 0:09.57 sshd
    721 root 16 0 2616 836 2444 S 0.0 0.0 0:00.03 couriertcpd
    723 root 16 0 2516 744 2348 S 0.0 0.0 0:00.02 courierlogger
    732 root 24 0 2620 836 2444 S 0.0 0.0 0:00.00 couriertcpd
    734 root 25 0 2388 612 2348 S 0.0 0.0 0:00.00 courierlogger
    741 root 15 0 2620 840 2444 S 0.0 0.0 0:09.86 couriertcpd
    743 root 15 0 2520 748 2348 S 0.0 0.0 0:11.31 courierlogger
    751 root 15 0 2620 840 2444 S 0.0 0.0 0:00.19 couriertcpd
    753 root 15 0 2520 748 2348 S 0.0 0.0 0:00.18 courierlogger
    898 ntp 16 0 2680 2680 1940 S 0.0 0.1 0:01.25 ntpd
    927 at 16 0 1604 640 1440 S 0.0 0.0 0:00.00 atd
    950 root 16 0 2036 920 1704 S 0.0 0.0 0:10.66 xinetd
    972 named 16 0 12296 3116 4068 S 0.0 0.2 0:00.00 named
    973 named 16 0 12296 3116 4068 S 0.0 0.2 0:00.11 named
    974 named 16 0 12296 3116 4068 S 0.0 0.2 0:45.02 named
    975 named 16 0 12296 3116 4068 S 0.0 0.2 0:00.02 named
    976 named 16 0 12296 3116 4068 S 0.0 0.2 0:10.72 named

  2. #2
    Join Date
    Apr 2005
    Location
    silicon and earthquakes
    Posts
    258
    Any process can be disguised as named, really
    I see nothing out of ordinary, but it would help if you provided more info:
    - what are the "new" processes?
    - is it a server that you run from home?
    - what's the OS distro and version?

  3. #3
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,164
    All looks okay, perhaps a busy server?

    I take it this is a home box as you're running DHCP, etc. One of those named threads does look a little busy though.

    Dan
    █ Dan Kitchen | Technical Director | Razorblue
    █ ddi: (+44) (0)1748 900 680 | e: dkitchen@razorblue.com
    █ UK Intensive Managed Hosting, Clusters and Colocation.
    █ HP Servers, Cisco/Juniper Powered BGP Network (AS15692).

  4. #4
    ah okay
    You helped me very much! Thank you.

    btw. it's a 3,06ghz P4, 2GB RAM dedicated server

  5. #5
    ah.. googlebot making about 10 pageviews per second lol
    +my users (40 members online on my forums)

    I think that could have killed my server
    Last edited by Wynex; 05-27-2005 at 07:42 PM.

  6. #6
    Join Date
    May 2005
    Posts
    95
    i dont think so... powerful server there, that is a very low load there even for your 40 members on the forums, etc

  7. #7
    Join Date
    Apr 2005
    Location
    silicon and earthquakes
    Posts
    258
    No need for sarcasm, especially when you are asking for help (MHO though).

    615 root 16 0 1396 552 1224 S 0.0 0.0 0:00.00 dhcpcd

    If you are running a ded then this is what you should definitely investigate.

  8. #8
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,164
    Either it's a home box running DHCP, DHCP was accidentally installed, or that's some compromised process running under a nicley hidden name.

    The latter being very unlikely considering it's hardly using any resources, and even if it has been accidenally enabled in a datacentre environment, assuming it's in a VLAN it wouldn't cause any problems anyway.

    Dan
    █ Dan Kitchen | Technical Director | Razorblue
    █ ddi: (+44) (0)1748 900 680 | e: dkitchen@razorblue.com
    █ UK Intensive Managed Hosting, Clusters and Colocation.
    █ HP Servers, Cisco/Juniper Powered BGP Network (AS15692).

  9. #9
    Originally posted by RazorBlue - Dan
    Either it's a home box running DHCP, DHCP was accidentally installed, or that's some compromised process running under a nicley hidden name.

    The latter being very unlikely considering it's hardly using any resources, and even if it has been accidenally enabled in a datacentre environment, assuming it's in a VLAN it wouldn't cause any problems anyway.

    Dan
    yeah I also saw something about the dhcp service in the logs with loading-problems. I'll try to disable this service - as I don't have a dynamic IP. My Server is in a datacenter - could it be, that all servers there have internal IP's in the network and other IPs for the internet?

  10. #10
    Join Date
    Nov 2004
    Location
    Miami FL
    Posts
    288
    what datacenter? (El Secondo Floor-o?, JK)

  11. #11
    NO! It is not a home server! 1&1 root server in this datacenter:
    http://www.zdnet.de/mobile/artikel/t...eihe_klein.jpg

    the dhcpcd server was running when I got the server - I just compared the list with the process-list after the setup.
    Thank you!
    Last edited by Wynex; 05-28-2005 at 04:26 AM.

  12. #12
    Join Date
    Nov 2004
    Location
    UK
    Posts
    775
    Originally posted by Wynex
    NO! It is not a home server! 1&1 root server in this datacenter:
    http://www.zdnet.de/mobile/artikel/t...eihe_klein.jpg

    the dhcpcd server was running when I got the server - I just compared the list with the process-list after the setup.
    Thank you!
    Calm down

  13. #13
    Join Date
    Sep 2004
    Location
    Miami, FL
    Posts
    2,762
    Why is DHCP is running? Dedicated servers do not need DHCP to be running. If it is, then it most probably needs to resolve an address somewhere before going out, thus meaning it's somewhere near and it's within an internal network. If a DC does this, they're looking to go out of business FAST!

    You should check with your provider and also give us the IP perhaps. We could check things out for you if we have the IP.

    We're quite sure it's a HOME GROWN server which is hosted on a single cable line or something like that

    Good Luck. Hope u have a good day! Tata!
    Last edited by aodat2; 05-28-2005 at 01:38 PM.
    Aaron Ong
    Dedicated Servers - 100TB Servers - 100Mbps Unmetered Servers - Web Hosting - CDN Network
    Servers in Central, East/West Coast USA, EUROPE and ASIA
    Welltodo Century
    - www.welltodocentury.com

  14. #14
    aahh ... lol
    check bmx-forum.com for dns information. ns1 and ns2 link to my server.
    .. and it's 1&1 - they are not going to be out of business soon.

    Please don't try to kid me

  15. #15
    Join Date
    Jul 2003
    Posts
    469
    Maybe 1&1 uses dhcp for quick re-imaging...
    bye

  16. #16
    Join Date
    Nov 2004
    Location
    Miami FL
    Posts
    288
    Originally posted by Wynex
    aahh ... lol
    check bmx-forum.com for dns information. ns1 and ns2 link to my server.
    .. and it's 1&1 - they are not going to be out of business soon.

    Please don't try to kid me
    Your the one giving weird answers, Just an IP, not "check the ns and ns2"....... thats crap.

  17. #17
    Join Date
    Sep 2004
    Location
    Miami, FL
    Posts
    2,762
    Originally posted by Wynex
    aahh ... lol
    check bmx-forum.com for dns information. ns1 and ns2 link to my server.
    .. and it's 1&1 - they are not going to be out of business soon.

    Please don't try to kid me
    You wanna know something? You're an IDIOT to begin with. Since you're asking for opinions and etc, we're giving it to you. Now, if you don't want it from us, then don't even post over here and ask.

    If you're here to ask a question and when we're giving it to you and you're telling us to shut up, that makes you a total IDIOT cause you're the one asking the question.

    Who is kidding you? I'm merely giving my opinion and by the way, maybe 1&1 is not going to go out of business but they sure as hell are the worst host anyone could ever be with.

    Again said, if you do not want our opinions and help, please don't post over here and ask us to help.
    Aaron Ong
    Dedicated Servers - 100TB Servers - 100Mbps Unmetered Servers - Web Hosting - CDN Network
    Servers in Central, East/West Coast USA, EUROPE and ASIA
    Welltodo Century
    - www.welltodocentury.com

  18. #18
    Originally posted by aodat2
    You wanna know something? You're an IDIOT to begin with. Since you're asking for opinions and etc, we're giving it to you. Now, if you don't want it from us, then don't even post over here and ask.

    If you're here to ask a question and when we're giving it to you and you're telling us to shut up, that makes you a total IDIOT cause you're the one asking the question.

    Who is kidding you? I'm merely giving my opinion and by the way, maybe 1&1 is not going to go out of business but they sure as hell are the worst host anyone could ever be with.

    Again said, if you do not want our opinions and help, please don't post over here and ask us to help.
    I came here to find help about my running processes and also appreciated it very much. Then people started over about the - strange - dhcp service running on my server and also that
    Quote Originally Posted by aodat2
    We're quite sure it's a HOME GROWN server which is hosted on a single cable line or something like that
    , what is definitely not true.
    Not quite sure how you could have thought my posts were somehow rude to you but as not-native speaker this was not my intention.
    And please don't call me a total IDIOT ..

  19. #19
    Join Date
    Nov 2004
    Location
    England
    Posts
    513
    Guys, calm down please, Wynex has no bad intentions and as he said (and as any native English speaker should've spotted really).

    Why is DHCP is running? Dedicated servers do not need DHCP to be running. If it is, then it most probably needs to resolve an address somewhere before going out, thus meaning it's somewhere near and it's within an internal network. If a DC does this, they're looking to go out of business FAST!
    The larger providors will have 2 NICs in their machine, one for the static public IP, the other for the management network, which would get IPs from a DHCP lease.

    So let's all calm down, eh

    Wynex, can you do a 'ps -ef' and paste that here?

  20. #20
    PHP Code:
    UID        PID  PPID  C STIME TTY          TIME CMD
    root         1     0  0 May17 
    ?        00:00:07 init [3]
    root         2     1  0 May17 ?        00:00:01 [migration/0]
    root         3     1  0 May17 ?        00:00:00 [ksoftirqd/0]
    root         4     1  0 May17 ?        00:00:00 [migration/1]
    root         5     1  0 May17 ?        00:00:00 [ksoftirqd/1]
    root         6     1  0 May17 ?        00:00:00 [events/0]
    root         7     1  0 May17 ?        00:00:00 [events/1]
    root         8     6  0 May17 ?        00:00:00 [khelper]
    root         9     6  0 May17 ?        00:00:14 [kblockd/0]
    root        10     6  0 May17 ?        00:00:08 [kblockd/1]
    root        12     6  0 May17 ?        00:00:00 [pdflush]
    root        11     1  0 May17 ?        00:00:00 [kirqd]
    root        13     6  0 May17 ?        00:01:50 [pdflush]
    root        14     1  0 May17 ?        00:00:01 [kswapd0]
    root        15     6  0 May17 ?        00:00:00 [aio/0]
    root        16     6  0 May17 ?        00:00:00 [aio/1]
    root        17     6  0 May17 ?        00:00:42 [xfslogd/0]
    root        18     6  0 May17 ?        00:00:00 [xfslogd/1]
    root        19     6  0 May17 ?        00:00:00 [xfsdatad/0]
    root        20     6  0 May17 ?        00:00:00 [xfsdatad/1]
    root        21     1  0 May17 ?        00:00:00 [xfsbufd]
    root        22     1  0 May17 ?        00:00:00 [kseriod]
    root        23     6  0 May17 ?        00:00:00 [ata/0]
    root        24     6  0 May17 ?        00:00:00 [ata/1]
    root        25     1  0 May17 ?        00:00:02 [kjournald]
    root       122     1  0 May17 ?        00:00:00 [xfssyncd]
    root       123     1  0 May17 ?        00:00:03 [xfssyncd]
    root       124     1  0 May17 ?        00:00:00 [xfssyncd]
    root       615     1  0 May17 ?        00:00:00 /sbin/dhcpcd ----t 999999
    root       685     1  0 May17 
    ?        00:04:27 /sbin/syslogd -/var/lib/named/
    root       688     1  0 May17 ?        00:00:00 /sbin/klogd -c 1 -2
    root       715     1  0 May17 
    ?        00:00:10 /usr/sbin/sshd -o PidFile=/var/r
    root       721     1  0 May17 
    ?        00:00:00 /usr/lib/courier-imap/libexec/co
    root       723     1  0 May17 
    ?        00:00:00 /usr/lib/courier-imap/sbin/couri
    root       732     1  0 May17 
    ?        00:00:00 /usr/lib/courier-imap/libexec/co
    root       734     1  0 May17 
    ?        00:00:00 /usr/lib/courier-imap/sbin/couri
    root       741     1  0 May17 
    ?        00:00:11 /usr/lib/courier-imap/libexec/co
    root       743     1  0 May17 
    ?        00:00:13 /usr/lib/courier-imap/sbin/couri
    root       751     1  0 May17 
    ?        00:00:00 /usr/lib/courier-imap/libexec/co
    root       753     1  0 May17 
    ?        00:00:00 /usr/lib/courier-imap/sbin/couri
    ntp        898     1  0 May17 
    ?        00:00:01 /usr/sbin/ntpd -/var/lib/ntp/v
    at         927     1  0 May17 
    ?        00:00:00 /usr/sbin/atd
    root       950     1  0 May17 
    ?        00:00:12 /usr/sbin/xinetd
    named      972     1  0 May17 
    ?        00:00:00 /usr/sbin/named -/var/lib/name
    named      973   972  0 May17 
    ?        00:00:00 /usr/sbin/named -/var/lib/name
    named      974   973  0 May17 
    ?        00:00:50 /usr/sbin/named -/var/lib/name
    named      975   973  0 May17 
    ?        00:00:00 /usr/sbin/named -/var/lib/name
    named      976   973  0 May17 
    ?        00:00:11 /usr/sbin/named -/var/lib/name
    root      1095     1  0 May17 
    ?        00:00:00 /usr/local/psa/admin/bin/httpsd
    root      1112     1  0 May17 
    ?        00:00:00 /sbin/startpar --- /etc/init.d
    root      1137     1  0 May17 
    ?        00:00:00 /usr/sbin/cron
    root      1144     1  0 May17 tty1     00
    :00:00 /sbin/mingetty --noclear tty1
    root      1145     1  0 May17 tty2     00
    :00:00 /sbin/mingetty tty2
    root      1146     1  0 May17 tty3     00
    :00:00 /sbin/mingetty tty3
    root      1147     1  0 May17 tty4     00
    :00:00 /sbin/mingetty tty4
    root      1148     1  0 May17 tty5     00
    :00:00 /sbin/mingetty tty5
    root      1149     1  0 May17 tty6     00
    :00:00 /sbin/mingetty tty6
    root      1150     1  0 May17 ttyS0    00
    :00:00 /sbin/agetty -L 57600 ttyS0 vt10
    root      5248     1  0 May17 
    ?        00:00:00 /bin/sh /usr/bin/mysqld_safe --u
    mysql     5282  5248  0 May17 
    ?        00:05:50 /usr/sbin/mysqld --basedir=/usr
    mysql     5283  5282  0 May17 
    ?        00:07:55 /usr/sbin/mysqld --basedir=/usr
    mysql     5284  5283  0 May17 
    ?        00:08:18 /usr/sbin/mysqld --basedir=/usr
    psaadm   12767  1095  0 May22 
    ?        00:00:10 /usr/local/psa/admin/bin/httpsd
    psaadm   12935  1095  0 May22 
    ?        00:00:08 /usr/local/psa/admin/bin/httpsd
    psaadm   21286  1095  0 May23 
    ?        00:00:06 /usr/local/psa/admin/bin/httpsd
    psaadm   21291  1095  0 May23 
    ?        00:00:13 /usr/local/psa/admin/bin/httpsd
    root     26516     1  0 May23 
    ?        00:01:24 /usr/sbin/httpd2-prefork -/etc
    psaadm   16571  1095  0 May23 
    ?        00:00:05 /usr/local/psa/admin/bin/httpsd
    psaadm   16582  1095  0 May23 
    ?        00:00:03 /usr/local/psa/admin/bin/httpsd
    psaadm   12662  1095  0 May24 
    ?        00:00:11 /usr/local/psa/admin/bin/httpsd
    psaadm   12663  1095  0 May24 
    ?        00:00:04 /usr/local/psa/admin/bin/httpsd
    psaadm   12664  1095  0 May24 
    ?        00:00:03 /usr/local/psa/admin/bin/httpsd
    psaadm   18028  1095  0 May24 
    ?        00:00:02 /usr/local/psa/admin/bin/httpsd
    qmails   29887     1  0 May25 
    ?        00:03:28 qmail-send
    qmaill   29889 29887  0 May25 
    ?        00:00:52 splogger qmail
    root     29890 29887  0 May25 
    ?        00:00:22 qmail-lspawn ./Maildir/
    qmailr   29891 29887  0 May25 ?        00:00:26 qmail-rspawn
    qmailq   29892 29887  0 May25 
    ?        00:00:28 qmail-clean
    nobody   26035     1  0 May27 
    ?        00:02:19 /usr/sbin/scanlogd
    root      6879   715  0 10
    :49 ?        00:00:00 sshdroot@pts/0
    root      6882  6879  0 10
    :49 pts/0    00:00:00 -bash
    wwwrun   24889 26516  0 12
    :20 ?        00:00:01 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25071 26516  0 12
    :21 ?        00:00:02 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25151 26516  0 12
    :21 ?        00:00:01 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25371 26516  0 12
    :22 ?        00:00:01 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25400 26516  0 12
    :22 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25406 26516  0 12
    :22 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25455 26516  0 12
    :22 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25461 26516  0 12
    :22 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25759 26516  0 12
    :23 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25763 26516  0 12
    :23 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25764 26516  0 12
    :23 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25765 26516  0 12
    :23 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25767 26516  1 12
    :23 ?        00:00:01 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25768 26516  0 12
    :23 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25772 26516  0 12
    :23 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25775 26516  0 12
    :23 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   25992 26516  0 12
    :24 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   26002 26516  0 12
    :24 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    wwwrun   26003 26516  0 12
    :24 ?        00:00:00 /usr/sbin/httpd2-prefork -/etc
    qmailr   26223 29891  0 12
    :25 ?        00:00:00 qmail-remote plutotech.com  stor
    qmailr   26231 29891  0 12
    :25 ?        00:00:00 qmail-remote tooyoo1.l.u-tokyo.a
    qmailr   26232 29891  0 12
    :25 ?        00:00:00 qmail-remote fdma.com  mly@fdma.
    qmailr   26241 29891  0 12:25 ?        00:00:00 qmail-remote labtam.oz.au  karli
    qmailr   26254 29891  0 12
    :25 ?        00:00:00 qmail-remote hotbot.com  les@hot
    qmailr   26257 29891  0 12
    :25 ?        00:00:00 qmail-remote laney.edu  zimerman
    mysql    26265  5283  0 12
    :25 ?        00:00:00 /usr/sbin/mysqld --basedir=/usr
    root     26266  6882  0 12
    :25 pts/0    00:00:00 ps -ef 
    The last few processes with the domains are strange. Is that if spambots send an email to my server or something else (dangerous)?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •