Results 1 to 20 of 20
-
05-27-2005, 07:08 PM #1Newbie
- Join Date
- Jul 2004
- Posts
- 24
Ah I think my server has been attacked today!!!
Please help me!
One hour ago my server was very slow and users couldn't load pages.
Now there are some new processes I don't know.
Here is the list of my processes: Any dangerous things?
Tasks: 104 total, 1 running, 102 sleeping, 0 stopped, 1 zombie
Cpu(s): 5.4% us, 1.3% sy, 0.0% ni, 93.2% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 2068144k total, 1875128k used, 193016k free, 19348k buffers
Swap: 2048276k total, 0k used, 2048276k free, 1541388k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 16 0 588 240 444 S 0.0 0.0 0:06.97 init
2 root RT 0 0 0 0 S 0.0 0.0 0:01.12 migration/0
3 root 34 19 0 0 0 S 0.0 0.0 0:00.08 ksoftirqd/0
4 root RT 0 0 0 0 S 0.0 0.0 0:00.79 migration/1
5 root 34 19 0 0 0 S 0.0 0.0 0:00.07 ksoftirqd/1
6 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 events/0
7 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 events/1
8 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 khelper
9 root 5 -10 0 0 0 S 0.0 0.0 0:10.31 kblockd/0
10 root 5 -10 0 0 0 S 0.0 0.0 0:06.47 kblockd/1
12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pdflush
11 root 15 0 0 0 0 S 0.0 0.0 0:00.00 kirqd
13 root 15 0 0 0 0 S 0.0 0.0 1:38.47 pdflush
14 root 25 0 0 0 0 S 0.0 0.0 0:01.39 kswapd0
15 root 6 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
16 root 7 -10 0 0 0 S 0.0 0.0 0:00.00 aio/1
17 root 5 -10 0 0 0 S 0.0 0.0 0:34.24 xfslogd/0
18 root 8 -10 0 0 0 S 0.0 0.0 0:00.00 xfslogd/1
19 root 8 -10 0 0 0 S 0.0 0.0 0:00.00 xfsdatad/0
20 root 11 -10 0 0 0 S 0.0 0.0 0:00.00 xfsdatad/1
21 root 15 0 0 0 0 S 0.0 0.0 0:00.02 xfsbufd
22 root 25 0 0 0 0 S 0.0 0.0 0:00.20 kseriod
23 root 6 -10 0 0 0 S 0.0 0.0 0:00.00 ata/0
24 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 ata/1
25 root 15 0 0 0 0 S 0.0 0.0 0:01.79 kjournald
122 root 15 0 0 0 0 S 0.0 0.0 0:00.00 xfssyncd
123 root 15 0 0 0 0 S 0.0 0.0 0:02.61 xfssyncd
124 root 15 0 0 0 0 S 0.0 0.0 0:00.05 xfssyncd
615 root 16 0 1396 552 1224 S 0.0 0.0 0:00.00 dhcpcd
685 root 16 0 1424 608 1252 S 0.0 0.0 3:40.42 syslogd
688 root 16 0 2372 1608 1204 S 0.0 0.1 0:00.13 klogd
715 root 17 0 4960 1820 4324 S 0.0 0.1 0:09.57 sshd
721 root 16 0 2616 836 2444 S 0.0 0.0 0:00.03 couriertcpd
723 root 16 0 2516 744 2348 S 0.0 0.0 0:00.02 courierlogger
732 root 24 0 2620 836 2444 S 0.0 0.0 0:00.00 couriertcpd
734 root 25 0 2388 612 2348 S 0.0 0.0 0:00.00 courierlogger
741 root 15 0 2620 840 2444 S 0.0 0.0 0:09.86 couriertcpd
743 root 15 0 2520 748 2348 S 0.0 0.0 0:11.31 courierlogger
751 root 15 0 2620 840 2444 S 0.0 0.0 0:00.19 couriertcpd
753 root 15 0 2520 748 2348 S 0.0 0.0 0:00.18 courierlogger
898 ntp 16 0 2680 2680 1940 S 0.0 0.1 0:01.25 ntpd
927 at 16 0 1604 640 1440 S 0.0 0.0 0:00.00 atd
950 root 16 0 2036 920 1704 S 0.0 0.0 0:10.66 xinetd
972 named 16 0 12296 3116 4068 S 0.0 0.2 0:00.00 named
973 named 16 0 12296 3116 4068 S 0.0 0.2 0:00.11 named
974 named 16 0 12296 3116 4068 S 0.0 0.2 0:45.02 named
975 named 16 0 12296 3116 4068 S 0.0 0.2 0:00.02 named
976 named 16 0 12296 3116 4068 S 0.0 0.2 0:10.72 named
-
05-27-2005, 07:29 PM #2Web Hosting Guru
- Join Date
- Apr 2005
- Location
- silicon and earthquakes
- Posts
- 258
Any process can be disguised as named, really
I see nothing out of ordinary, but it would help if you provided more info:
- what are the "new" processes?
- is it a server that you run from home?
- what's the OS distro and version?
-
05-27-2005, 07:29 PM #3Managed Hosting Expert
- Join Date
- Jan 2004
- Location
- North Yorkshire, UK
- Posts
- 4,164
All looks okay, perhaps a busy server?
I take it this is a home box as you're running DHCP, etc. One of those named threads does look a little busy though.
Dan█ Dan Kitchen | Technical Director | Razorblue
█ ddi: (+44) (0)1748 900 680 | e: dkitchen@razorblue.com
█ UK Intensive Managed Hosting, Clusters and Colocation.
█ HP Servers, Cisco/Juniper Powered BGP Network (AS15692).
-
05-27-2005, 07:32 PM #4Newbie
- Join Date
- Jul 2004
- Posts
- 24
ah okay
You helped me very much! Thank you.
btw. it's a 3,06ghz P4, 2GB RAM dedicated server
-
05-27-2005, 07:38 PM #5Newbie
- Join Date
- Jul 2004
- Posts
- 24
ah.. googlebot making about 10 pageviews per second lol
+my users (40 members online on my forums)
I think that could have killed my serverLast edited by Wynex; 05-27-2005 at 07:42 PM.
-
05-27-2005, 07:42 PM #6Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 95
i dont think so... powerful server there, that is a very low load there even for your 40 members on the forums, etc
-
05-27-2005, 07:42 PM #7Web Hosting Guru
- Join Date
- Apr 2005
- Location
- silicon and earthquakes
- Posts
- 258
No need for sarcasm, especially when you are asking for help (MHO though).
615 root 16 0 1396 552 1224 S 0.0 0.0 0:00.00 dhcpcd
If you are running a ded then this is what you should definitely investigate.
-
05-27-2005, 08:53 PM #8Managed Hosting Expert
- Join Date
- Jan 2004
- Location
- North Yorkshire, UK
- Posts
- 4,164
Either it's a home box running DHCP, DHCP was accidentally installed, or that's some compromised process running under a nicley hidden name.
The latter being very unlikely considering it's hardly using any resources, and even if it has been accidenally enabled in a datacentre environment, assuming it's in a VLAN it wouldn't cause any problems anyway.
Dan█ Dan Kitchen | Technical Director | Razorblue
█ ddi: (+44) (0)1748 900 680 | e: dkitchen@razorblue.com
█ UK Intensive Managed Hosting, Clusters and Colocation.
█ HP Servers, Cisco/Juniper Powered BGP Network (AS15692).
-
05-28-2005, 03:59 AM #9Newbie
- Join Date
- Jul 2004
- Posts
- 24
Originally posted by RazorBlue - Dan
Either it's a home box running DHCP, DHCP was accidentally installed, or that's some compromised process running under a nicley hidden name.
The latter being very unlikely considering it's hardly using any resources, and even if it has been accidenally enabled in a datacentre environment, assuming it's in a VLAN it wouldn't cause any problems anyway.
Dan
-
05-28-2005, 04:12 AM #10Disabled
- Join Date
- Nov 2004
- Location
- Miami FL
- Posts
- 288
what datacenter? (El Secondo Floor-o?, JK)
-
05-28-2005, 04:20 AM #11Newbie
- Join Date
- Jul 2004
- Posts
- 24
NO! It is not a home server! 1&1 root server in this datacenter:
http://www.zdnet.de/mobile/artikel/t...eihe_klein.jpg
the dhcpcd server was running when I got the server - I just compared the list with the process-list after the setup.
Thank you!Last edited by Wynex; 05-28-2005 at 04:26 AM.
-
05-28-2005, 11:01 AM #12Web Hosting Master
- Join Date
- Nov 2004
- Location
- UK
- Posts
- 775
Originally posted by Wynex
NO! It is not a home server! 1&1 root server in this datacenter:
http://www.zdnet.de/mobile/artikel/t...eihe_klein.jpg
the dhcpcd server was running when I got the server - I just compared the list with the process-list after the setup.
Thank you!
-
05-28-2005, 01:35 PM #13Web Hosting Master
- Join Date
- Sep 2004
- Location
- Miami, FL
- Posts
- 2,762
Why is DHCP is running? Dedicated servers do not need DHCP to be running. If it is, then it most probably needs to resolve an address somewhere before going out, thus meaning it's somewhere near and it's within an internal network. If a DC does this, they're looking to go out of business FAST!
You should check with your provider and also give us the IP perhaps. We could check things out for you if we have the IP.
We're quite sure it's a HOME GROWN server which is hosted on a single cable line or something like that
Good Luck. Hope u have a good day! Tata!Last edited by aodat2; 05-28-2005 at 01:38 PM.
Aaron Ong
Dedicated Servers - 100TB Servers - 100Mbps Unmetered Servers - Web Hosting - CDN Network
Servers in Central, East/West Coast USA, EUROPE and ASIA
Welltodo Century - www.welltodocentury.com
-
05-28-2005, 01:44 PM #14Newbie
- Join Date
- Jul 2004
- Posts
- 24
aahh ... lol
check bmx-forum.com for dns information. ns1 and ns2 link to my server.
.. and it's 1&1 - they are not going to be out of business soon.
Please don't try to kid me
-
05-28-2005, 03:19 PM #15Web Hosting Evangelist
- Join Date
- Jul 2003
- Posts
- 469
Maybe 1&1 uses dhcp for quick re-imaging...
bye
-
05-28-2005, 04:53 PM #16Disabled
- Join Date
- Nov 2004
- Location
- Miami FL
- Posts
- 288
Originally posted by Wynex
aahh ... lol
check bmx-forum.com for dns information. ns1 and ns2 link to my server.
.. and it's 1&1 - they are not going to be out of business soon.
Please don't try to kid me
-
05-29-2005, 01:31 AM #17Web Hosting Master
- Join Date
- Sep 2004
- Location
- Miami, FL
- Posts
- 2,762
Originally posted by Wynex
aahh ... lol
check bmx-forum.com for dns information. ns1 and ns2 link to my server.
.. and it's 1&1 - they are not going to be out of business soon.
Please don't try to kid me
If you're here to ask a question and when we're giving it to you and you're telling us to shut up, that makes you a total IDIOT cause you're the one asking the question.
Who is kidding you? I'm merely giving my opinion and by the way, maybe 1&1 is not going to go out of business but they sure as hell are the worst host anyone could ever be with.
Again said, if you do not want our opinions and help, please don't post over here and ask us to help.Aaron Ong
Dedicated Servers - 100TB Servers - 100Mbps Unmetered Servers - Web Hosting - CDN Network
Servers in Central, East/West Coast USA, EUROPE and ASIA
Welltodo Century - www.welltodocentury.com
-
05-29-2005, 04:10 AM #18Newbie
- Join Date
- Jul 2004
- Posts
- 24
Originally posted by aodat2
You wanna know something? You're an IDIOT to begin with. Since you're asking for opinions and etc, we're giving it to you. Now, if you don't want it from us, then don't even post over here and ask.
If you're here to ask a question and when we're giving it to you and you're telling us to shut up, that makes you a total IDIOT cause you're the one asking the question.
Who is kidding you? I'm merely giving my opinion and by the way, maybe 1&1 is not going to go out of business but they sure as hell are the worst host anyone could ever be with.
Again said, if you do not want our opinions and help, please don't post over here and ask us to help.
Originally Posted by aodat2
Not quite sure how you could have thought my posts were somehow rude to you but as not-native speaker this was not my intention.
And please don't call me a total IDIOT ..
-
05-29-2005, 06:22 AM #19Disabled
- Join Date
- Nov 2004
- Location
- England
- Posts
- 513
Guys, calm down please, Wynex has no bad intentions and as he said (and as any native English speaker should've spotted really).
Why is DHCP is running? Dedicated servers do not need DHCP to be running. If it is, then it most probably needs to resolve an address somewhere before going out, thus meaning it's somewhere near and it's within an internal network. If a DC does this, they're looking to go out of business FAST!
So let's all calm down, eh
Wynex, can you do a 'ps -ef' and paste that here?
-
05-29-2005, 06:27 AM #20Newbie
- Join Date
- Jul 2004
- Posts
- 24
PHP Code:UID PID PPID C STIME TTY TIME CMD
root 1 0 0 May17 ? 00:00:07 init [3]
root 2 1 0 May17 ? 00:00:01 [migration/0]
root 3 1 0 May17 ? 00:00:00 [ksoftirqd/0]
root 4 1 0 May17 ? 00:00:00 [migration/1]
root 5 1 0 May17 ? 00:00:00 [ksoftirqd/1]
root 6 1 0 May17 ? 00:00:00 [events/0]
root 7 1 0 May17 ? 00:00:00 [events/1]
root 8 6 0 May17 ? 00:00:00 [khelper]
root 9 6 0 May17 ? 00:00:14 [kblockd/0]
root 10 6 0 May17 ? 00:00:08 [kblockd/1]
root 12 6 0 May17 ? 00:00:00 [pdflush]
root 11 1 0 May17 ? 00:00:00 [kirqd]
root 13 6 0 May17 ? 00:01:50 [pdflush]
root 14 1 0 May17 ? 00:00:01 [kswapd0]
root 15 6 0 May17 ? 00:00:00 [aio/0]
root 16 6 0 May17 ? 00:00:00 [aio/1]
root 17 6 0 May17 ? 00:00:42 [xfslogd/0]
root 18 6 0 May17 ? 00:00:00 [xfslogd/1]
root 19 6 0 May17 ? 00:00:00 [xfsdatad/0]
root 20 6 0 May17 ? 00:00:00 [xfsdatad/1]
root 21 1 0 May17 ? 00:00:00 [xfsbufd]
root 22 1 0 May17 ? 00:00:00 [kseriod]
root 23 6 0 May17 ? 00:00:00 [ata/0]
root 24 6 0 May17 ? 00:00:00 [ata/1]
root 25 1 0 May17 ? 00:00:02 [kjournald]
root 122 1 0 May17 ? 00:00:00 [xfssyncd]
root 123 1 0 May17 ? 00:00:03 [xfssyncd]
root 124 1 0 May17 ? 00:00:00 [xfssyncd]
root 615 1 0 May17 ? 00:00:00 /sbin/dhcpcd -d -N -Y -t 999999
root 685 1 0 May17 ? 00:04:27 /sbin/syslogd -a /var/lib/named/
root 688 1 0 May17 ? 00:00:00 /sbin/klogd -c 1 -2
root 715 1 0 May17 ? 00:00:10 /usr/sbin/sshd -o PidFile=/var/r
root 721 1 0 May17 ? 00:00:00 /usr/lib/courier-imap/libexec/co
root 723 1 0 May17 ? 00:00:00 /usr/lib/courier-imap/sbin/couri
root 732 1 0 May17 ? 00:00:00 /usr/lib/courier-imap/libexec/co
root 734 1 0 May17 ? 00:00:00 /usr/lib/courier-imap/sbin/couri
root 741 1 0 May17 ? 00:00:11 /usr/lib/courier-imap/libexec/co
root 743 1 0 May17 ? 00:00:13 /usr/lib/courier-imap/sbin/couri
root 751 1 0 May17 ? 00:00:00 /usr/lib/courier-imap/libexec/co
root 753 1 0 May17 ? 00:00:00 /usr/lib/courier-imap/sbin/couri
ntp 898 1 0 May17 ? 00:00:01 /usr/sbin/ntpd -p /var/lib/ntp/v
at 927 1 0 May17 ? 00:00:00 /usr/sbin/atd
root 950 1 0 May17 ? 00:00:12 /usr/sbin/xinetd
named 972 1 0 May17 ? 00:00:00 /usr/sbin/named -t /var/lib/name
named 973 972 0 May17 ? 00:00:00 /usr/sbin/named -t /var/lib/name
named 974 973 0 May17 ? 00:00:50 /usr/sbin/named -t /var/lib/name
named 975 973 0 May17 ? 00:00:00 /usr/sbin/named -t /var/lib/name
named 976 973 0 May17 ? 00:00:11 /usr/sbin/named -t /var/lib/name
root 1095 1 0 May17 ? 00:00:00 /usr/local/psa/admin/bin/httpsd
root 1112 1 0 May17 ? 00:00:00 /sbin/startpar -f -- /etc/init.d
root 1137 1 0 May17 ? 00:00:00 /usr/sbin/cron
root 1144 1 0 May17 tty1 00:00:00 /sbin/mingetty --noclear tty1
root 1145 1 0 May17 tty2 00:00:00 /sbin/mingetty tty2
root 1146 1 0 May17 tty3 00:00:00 /sbin/mingetty tty3
root 1147 1 0 May17 tty4 00:00:00 /sbin/mingetty tty4
root 1148 1 0 May17 tty5 00:00:00 /sbin/mingetty tty5
root 1149 1 0 May17 tty6 00:00:00 /sbin/mingetty tty6
root 1150 1 0 May17 ttyS0 00:00:00 /sbin/agetty -L 57600 ttyS0 vt10
root 5248 1 0 May17 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe --u
mysql 5282 5248 0 May17 ? 00:05:50 /usr/sbin/mysqld --basedir=/usr
mysql 5283 5282 0 May17 ? 00:07:55 /usr/sbin/mysqld --basedir=/usr
mysql 5284 5283 0 May17 ? 00:08:18 /usr/sbin/mysqld --basedir=/usr
psaadm 12767 1095 0 May22 ? 00:00:10 /usr/local/psa/admin/bin/httpsd
psaadm 12935 1095 0 May22 ? 00:00:08 /usr/local/psa/admin/bin/httpsd
psaadm 21286 1095 0 May23 ? 00:00:06 /usr/local/psa/admin/bin/httpsd
psaadm 21291 1095 0 May23 ? 00:00:13 /usr/local/psa/admin/bin/httpsd
root 26516 1 0 May23 ? 00:01:24 /usr/sbin/httpd2-prefork -f /etc
psaadm 16571 1095 0 May23 ? 00:00:05 /usr/local/psa/admin/bin/httpsd
psaadm 16582 1095 0 May23 ? 00:00:03 /usr/local/psa/admin/bin/httpsd
psaadm 12662 1095 0 May24 ? 00:00:11 /usr/local/psa/admin/bin/httpsd
psaadm 12663 1095 0 May24 ? 00:00:04 /usr/local/psa/admin/bin/httpsd
psaadm 12664 1095 0 May24 ? 00:00:03 /usr/local/psa/admin/bin/httpsd
psaadm 18028 1095 0 May24 ? 00:00:02 /usr/local/psa/admin/bin/httpsd
qmails 29887 1 0 May25 ? 00:03:28 qmail-send
qmaill 29889 29887 0 May25 ? 00:00:52 splogger qmail
root 29890 29887 0 May25 ? 00:00:22 qmail-lspawn ./Maildir/
qmailr 29891 29887 0 May25 ? 00:00:26 qmail-rspawn
qmailq 29892 29887 0 May25 ? 00:00:28 qmail-clean
nobody 26035 1 0 May27 ? 00:02:19 /usr/sbin/scanlogd
root 6879 715 0 10:49 ? 00:00:00 sshd: root@pts/0
root 6882 6879 0 10:49 pts/0 00:00:00 -bash
wwwrun 24889 26516 0 12:20 ? 00:00:01 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25071 26516 0 12:21 ? 00:00:02 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25151 26516 0 12:21 ? 00:00:01 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25371 26516 0 12:22 ? 00:00:01 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25400 26516 0 12:22 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25406 26516 0 12:22 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25455 26516 0 12:22 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25461 26516 0 12:22 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25759 26516 0 12:23 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25763 26516 0 12:23 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25764 26516 0 12:23 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25765 26516 0 12:23 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25767 26516 1 12:23 ? 00:00:01 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25768 26516 0 12:23 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25772 26516 0 12:23 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25775 26516 0 12:23 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 25992 26516 0 12:24 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 26002 26516 0 12:24 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
wwwrun 26003 26516 0 12:24 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc
qmailr 26223 29891 0 12:25 ? 00:00:00 qmail-remote plutotech.com stor
qmailr 26231 29891 0 12:25 ? 00:00:00 qmail-remote tooyoo1.l.u-tokyo.a
qmailr 26232 29891 0 12:25 ? 00:00:00 qmail-remote fdma.com mly@fdma.
qmailr 26241 29891 0 12:25 ? 00:00:00 qmail-remote labtam.oz.au karli
qmailr 26254 29891 0 12:25 ? 00:00:00 qmail-remote hotbot.com les@hot
qmailr 26257 29891 0 12:25 ? 00:00:00 qmail-remote laney.edu zimerman
mysql 26265 5283 0 12:25 ? 00:00:00 /usr/sbin/mysqld --basedir=/usr
root 26266 6882 0 12:25 pts/0 00:00:00 ps -ef