Results 1 to 33 of 33
  1. #1

    * 1TB in 3 days on ev1servers?

    Could someone reccomend me a log analyser to work out what pulled all my bandwidth. I got an email from ev1 saying I pulled over 1TB in 3 days, when ive had my server for 3 years and the max it's pulled in one month is 200Gb.

    They are telling me that their monitoring is flawless. Even though my WHM says i've only pulled 48.75 Gig so far this month. Not to mention it's a 1.3Ghz celeron server, that would have crashed under the strain. But I and no one else noticed any slow downs at all. Worst thing is that they charge $0.50 per extra Gb used, so i'm looking to pay $350 on top of what I already owe. And I definately cannot afford that.

  2. #2
    Join Date
    Jul 2003
    Location
    Goleta, CA
    Posts
    5,550
    check /tmp and see if you've got some nasty malware in there such as the common udp.pl flood script.
    Patron: I'd like my free lunch please.
    Cafe Manager: Free lunch? Did you read the fine print stating it was an April Fool's joke.
    Patron: I read the same way I listen, I ignore the parts I don't agree with. I'm suing you for false advertising.
    Cafe Owner: Is our lawyer still working pro bono?

  3. #3
    Everything seems in check in my /tmp folder. Just need to know of something that can analyse my logs to find out what pulled all that bandwidth, if at all.

    Thankyou

  4. #4
    Join Date
    Jun 2002
    Location
    Waco, TX
    Posts
    5,291
    It is very possible, we had on a shared server someone distributing an indpendent movie, it was pushing 80-150mb/s (that is from a full production shared server!)

  5. #5
    Quote Originally Posted by (Stephen)
    It is very possible, we had on a shared server someone distributing an indpendent movie, it was pushing 80-150mb/s (that is from a full production shared server!)
    Not when my WHM says i've only pulled 48.75 Gig so far this month which monitors http,ftp,smtp, and pop3 traffic.

  6. #6
    Join Date
    Jun 2002
    Location
    Waco, TX
    Posts
    5,291
    Ah, then certainly check for a hack or other anon FTP type app running from /tmp

  7. #7
    These are running as nobody in /tmp:-

    -rw-r--r-- 1 nobody nobody 6 Oct 19 10:41 dos-149.142.243.66
    -rw-r--r-- 1 nobody nobody 6 Oct 13 07:26 dos-193.80.44.146
    -rw-r--r-- 1 nobody nobody 5 Oct 20 18:09 dos-207.251.193.224
    -rw-r--r-- 1 nobody nobody 6 Oct 14 06:13 dos-212.238.241.41
    -rw-r--r-- 1 nobody nobody 6 Oct 23 02:00 dos-216.186.241.138
    -rw-r--r-- 1 nobody nobody 6 Oct 14 11:28 dos-219.215.48.78
    -rw-r--r-- 1 nobody nobody 6 Oct 16 20:53 dos-24.208.189.138
    -rw-r--r-- 1 nobody nobody 6 Oct 17 21:44 dos-24.30.27.5
    -rw-r--r-- 1 nobody nobody 5 Oct 14 15:17 dos-62.212.134.148
    -rw-r--r-- 1 nobody nobody 6 Oct 17 19:32 dos-65.191.145.77
    -rw-r--r-- 1 nobody nobody 5 Oct 15 05:16 dos-66.72.196.166
    -rw-r--r-- 1 nobody nobody 6 Oct 20 09:54 dos-67.172.192.30
    -rw-r--r-- 1 nobody nobody 6 Oct 21 08:38 dos-67.49.119.103
    -rw-r--r-- 1 nobody nobody 5 Oct 22 16:18 dos-68.185.195.194
    -rw-r--r-- 1 nobody nobody 6 Oct 13 13:22 dos-69.182.3.38
    -rw-r--r-- 1 nobody nobody 6 Oct 21 01:12 dos-69.61.153.250
    -rw-r--r-- 1 nobody nobody 5 Oct 16 13:23 dos-70.178.211.9
    -rw-r--r-- 1 nobody nobody 6 Oct 14 17:39 dos-72.67.64.27
    -rw-r--r-- 1 nobody nobody 6 Oct 22 06:25 dos-74.130.243.63
    -rw-r--r-- 1 nobody nobody 6 Oct 23 05:35 dos-81.193.133.19
    -rw-r--r-- 1 nobody nobody 6 Oct 21 04:30 dos-89.98.145.223


    But I'm sure those have been there before. And when I cat them out, they only contain 5 digit numbers and that's all
    Last edited by spammy83; 10-23-2006 at 02:32 PM.

  8. #8
    Join Date
    Jul 2003
    Location
    Goleta, CA
    Posts
    5,550
    those are from mod_evasive .
    Patron: I'd like my free lunch please.
    Cafe Manager: Free lunch? Did you read the fine print stating it was an April Fool's joke.
    Patron: I read the same way I listen, I ignore the parts I don't agree with. I'm suing you for false advertising.
    Cafe Owner: Is our lawyer still working pro bono?

  9. #9
    Well, nothing else in /tmp that is out of the ordinary.

  10. #10
    so could someone recommend me a script or something that can analyze my logs and tell me what caused the massive bandwidth spike?

  11. #11
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    I dunno about this...

    Was the traffic inbound or outbound?

    Can they tell you what port >50% of the traffic was generated on?

    I would ask them to provide a detailed audit log before paying them any money. I remember a couple years ago EV1 put my mrtg on the wrong switch port and it looked like I was going to go over my limit.

    Make it their burden to provide the proof.

  12. #12
    I've been a\sking them to provide me details. All they keep saying is that it is unmanaged hosting so they cannot provide support blah blah blah. When it has something to do with me paying them extra, it should be their responsiblity. But anyway. Heres the traffic logs as they show up from ev1. For some reason there is a major jump in outgoing bandwidth:-

    Date Incoming Bytes Outgoing Bytes Total Incoming Total Outgoing Total Traffic
    10/22/2006 85,327,683,336 1,654,091,234,729 79.47 GB 1,540.49 GB 1,619.96 GB
    10/21/2006 81,860,008,573 1,652,421,464,865 76.24 GB 1,538.94 GB 1,615.18 GB
    10/20/2006 78,488,899,862 1,650,789,890,599 73.10 GB 1,537.42 GB 1,610.52 GB
    10/19/2006 75,155,247,883 1,648,949,276,139 69.99 GB 1,535.70 GB 1,605.69 GB
    10/18/2006 67,146,159,802 1,372,360,417,989 62.53 GB 1,278.11 GB 1,340.64 GB
    10/17/2006 62,990,485,086 940,256,707,399 58.66 GB 875.68 GB 934.34 GB
    10/16/2006 58,937,509,523 594,035,215,171 54.89 GB 553.24 GB 608.13 GB
    10/14/2006 51,410,636,276 14,512,561,934 47.88 GB 13.52 GB 61.40 GB
    10/13/2006 48,445,403,910 13,706,930,861 45.12 GB 12.77 GB 57.89 GB
    10/12/2006 44,997,209,673 12,756,926,867 41.91 GB 11.88 GB 53.79 GB

    Sorry about the spacing. I tried everything to get it to show up as a table on here.
    Last edited by spammy83; 10-23-2006 at 03:06 PM.

  13. #13
    bittorrent PHP script running on your server most likely. Using BW on ports you dont monitor.
    ^_^

  14. #14
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    yes, agreed

  15. #15
    Quote Originally Posted by Francisco
    bittorrent PHP script running on your server most likely. Using BW on ports you dont monitor.
    No bit torrent scripts installed. Plus my firewall blocks all non-essentail ports

  16. #16
    You can use ifconfig command to see how much b/w consumed on each eth0 or eth1

    To avoid such problem in future install vnstat.
    I had same problem 6 months back. My friend recommended me vnstat program. It keep exact and up2date log of each interface on our server. See url for vnstat usage
    http://www.cyberciti.biz/tips/keepin...linux-box.html
    Last edited by goku123; 10-23-2006 at 04:23 PM.
    <<Please see rules for signature setup>>

  17. #17
    Join Date
    Jun 2002
    Location
    Waco, TX
    Posts
    5,291
    You may want to hire a management company like platinum server management to check this out for you.

  18. #18
    Quote Originally Posted by (Stephen)
    You may want to hire a management company like platinum server management to check this out for you.
    If I had the cash for that, I probably wouldn't even bother complaining about the anomalee... I'd prefer just to install something that tells me what process or process' cause the major bandwidth spike during those 3 days. If someone could be so kind as to reccomend me one

  19. #19
    Join Date
    Jun 2002
    Location
    Waco, TX
    Posts
    5,291
    Someone would tell you(I certainly would!) if there was such a tool, but the fact is unless the software was already installed and configured before it happened you are not likley to find out without digging really deep.

  20. #20
    Could someone possibly refer me to a tutorial or give some tips as to what I can do in this situation?

  21. #21
    Join Date
    Jun 2004
    Posts
    37
    More than likely, someone is using your server without you knowing it. I believe your server is compromised; run a firewall, and block all ports but the ones you need. See if that works.

  22. #22
    Join Date
    Aug 2002
    Location
    DC
    Posts
    3,635
    Have you checked bandmin? You can setup the username/password for it through WHM, then go to http://yourdomain.com/bandwidth/ to check it - it's a lot more accurate than WHM for the count, at least. Try running a portscan on your own server to see if any odd ports are open, or post the results of "ps aux" from a shell prompt here so we can take a look to see if anything odd is running.

    Matt

  23. #23
    Join Date
    Oct 2005
    Location
    Fleet Street
    Posts
    3,243
    More than likely, someone is using your server without you knowing it. I believe your server is compromised; run a firewall, and block all ports but the ones you need. See if that works.
    It really does help to read the thread

    Sorry that I don't have much to contribute on this issue - I'd perhaps request more detailed logs from EV1. Them showing you some random numbers wouldn't qualify as logs in my book.

  24. #24
    results of PS AUX:-


    USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
    root 1 0.0 0.0 1528 88 ? S Oct22 0:06 init [3]
    root 2 0.0 0.0 0 0 ? SW Oct22 0:00 [migration/0]
    root 3 0.0 0.0 0 0 ? SW Oct22 0:00 [keventd]
    root 4 0.0 0.0 0 0 ? SW Oct22 0:07 [kapmd]
    root 5 0.0 0.0 0 0 ? SWN Oct22 0:00 [ksoftirqd/0]
    root 8 0.0 0.0 0 0 ? SW Oct22 0:00 [bdflush]
    root 6 0.0 0.0 0 0 ? SW Oct22 0:45 [kswapd]
    root 7 0.0 0.0 0 0 ? SW Oct22 1:04 [kscand]
    root 9 0.0 0.0 0 0 ? SW Oct22 0:07 [kupdated]
    root 10 0.0 0.0 0 0 ? SW Oct22 0:00 [mdrecoveryd]
    root 14 0.0 0.0 0 0 ? SW Oct22 0:51 [kjournald]
    root 92 0.0 0.0 0 0 ? SW Oct22 0:00 [khubd]
    root 1298 0.0 0.0 0 0 ? SW Oct22 0:00 [kjournald]
    root 1300 0.0 0.0 0 0 ? SW Oct22 0:03 [loop0]
    root 1636 0.0 0.0 0 0 ? SW Oct22 0:00 [eth0]
    root 1746 0.0 0.0 1604 232 ? S Oct22 0:05 syslogd -m 0
    root 1750 0.0 0.0 1548 168 ? S Oct22 0:00 klogd -x
    root 1788 0.0 0.0 1584 156 ? S Oct22 0:00 mdadm --monitor -
    root 6249 0.0 0.0 8668 332 ? S Oct22 0:06 cupsd
    named 6277 0.1 1.3 42676 6872 ? S Oct22 3:44 /usr/sbin/named -
    root 6292 0.0 0.0 3656 224 ? S Oct22 0:01 /usr/sbin/sshd
    root 6306 0.0 0.0 2136 352 ? S Oct22 0:00 xinetd -stayalive
    root 6333 0.0 0.3 12892 1844 ? S Oct22 0:06 chkservd
    mailnull 6386 0.0 0.0 6640 288 ? S Oct22 0:01 /usr/sbin/exim -b
    mailnull 6390 0.0 0.0 6604 4 ? S Oct22 0:00 /usr/sbin/exim -t
    root 6396 0.0 0.1 2916 620 ? S Oct22 0:15 antirelayd
    root 6483 0.0 0.4 24184 2148 ? S Oct22 0:34 /usr/bin/spamd -d
    root 6498 0.0 0.0 6448 148 ? S Oct22 0:32 /usr/local/apache
    root 6512 0.0 0.0 5548 172 ? S Oct22 0:00 crond
    xfs 6610 0.0 0.0 5364 60 ? S Oct22 0:00 xfs -droppriv -da
    root 6712 0.0 2.8 24444 14208 ? S Oct22 0:09 spamd child
    root 6913 0.1 0.0 130524 4 ? SN Oct22 3:30 cpanellogd - sett
    nobody 6960 0.0 0.0 3808 4 ? S Oct22 0:00 entropychat
    root 6971 0.0 0.3 13880 1940 ? S Oct22 0:02 cppop - accepting
    root 6980 0.0 0.0 6924 192 ? S Oct22 0:00 pure-ftpd (SERVER
    root 6993 0.0 0.0 6676 68 ? S Oct22 0:00 /usr/sbin/pure-au
    mailman 7166 0.0 0.0 9928 152 ? S Oct22 0:00 /usr/local/bin/py
    mailman 7183 0.0 0.1 9924 664 ? S Oct22 0:32 /usr/local/bin/py
    mailman 7185 0.0 0.1 9920 704 ? S Oct22 0:34 /usr/local/bin/py
    mailman 7186 0.0 0.1 9896 664 ? S Oct22 0:33 /usr/local/bin/py
    mailman 7187 0.0 0.1 9944 672 ? S Oct22 0:32 /usr/local/bin/py
    mailman 7188 0.0 0.1 9900 712 ? S Oct22 0:33 /usr/local/bin/py
    mailman 7200 0.0 0.1 9912 716 ? S Oct22 0:34 /usr/local/bin/py
    mailman 7201 0.0 0.1 9928 696 ? S Oct22 0:35 /usr/local/bin/py
    mailman 7202 0.0 0.1 9924 692 ? S Oct22 0:00 /usr/local/bin/py
    root 7214 0.0 0.0 4628 88 ? S Oct22 0:00 rhnsd --interval
    root 7279 0.0 0.0 1532 4 ? S Oct22 0:00 /usr/sbin/portsen
    root 7293 0.0 0.0 1504 4 tty1 S Oct22 0:00 /sbin/mingetty tt
    root 7294 0.0 0.0 1504 4 tty2 S Oct22 0:00 /sbin/mingetty tt
    root 7295 0.0 0.0 1504 4 tty3 S Oct22 0:00 /sbin/mingetty tt
    root 7296 0.0 0.0 1504 4 tty4 S Oct22 0:00 /sbin/mingetty tt
    root 7297 0.0 0.0 1504 4 tty5 S Oct22 0:00 /sbin/mingetty tt
    root 7298 0.0 0.0 1504 4 tty6 S Oct22 0:00 /sbin/mingetty tt
    root 7299 0.0 0.0 1520 4 ttyS0 S Oct22 0:00 /sbin/agetty -L 9
    root 15927 0.0 0.5 17420 2732 ? S 00:24 0:01 cpsrvd - waiting
    cpanel 15952 0.0 0.0 3664 4 ? S 00:24 0:00 /usr/sbin/stunnel
    points 31460 0.0 0.0 130524 300 ? SN 03:01 0:00 cpanellogd - http
    points 2736 0.0 0.0 1380 192 ? SN 03:24 0:03 /usr/local/cpanel
    points 2737 0.2 31.7 420108 159384 ? TN 03:24 1:54 /usr/local/cpanel
    root 1343 0.0 0.1 7044 936 ? S 09:05 0:05 sshd: [email protected]/0
    root 1360 0.0 0.1 5464 912 pts/0 S 09:05 0:01 -bash
    root 6692 0.0 0.1 5316 704 ? S 09:21 0:00 /bin/sh /usr/bin/
    mysql 6752 0.0 6.2 101032 31552 ? S 09:21 0:09 /usr/sbin/mysqld
    mysql 6773 0.0 6.2 101032 31552 ? S 09:21 0:00 /usr/sbin/mysqld
    mysql 6774 0.0 6.2 101032 31552 ? S 09:21 0:12 /usr/sbin/mysqld
    mysql 6780 0.0 6.2 101032 31552 ? S 09:21 0:09 /usr/sbin/mysqld
    mysql 6874 0.4 6.2 101032 31552 ? S 09:21 2:44 /usr/sbin/mysqld
    mysql 7511 0.0 6.2 101032 31552 ? S 09:23 0:09 /usr/sbin/mysqld
    mysql 7512 0.0 6.2 101032 31552 ? S 09:23 0:09 /usr/sbin/mysqld
    mysql 7526 0.0 6.2 101032 31552 ? S 09:23 0:10 /usr/sbin/mysqld
    mysql 7680 0.0 6.2 101032 31552 ? S 09:24 0:10 /usr/sbin/mysqld
    mysql 7681 0.0 6.2 101032 31552 ? S 09:24 0:23 /usr/sbin/mysqld
    mysql 7750 0.0 6.2 101032 31552 ? S 09:24 0:09 /usr/sbin/mysqld
    mysql 7800 0.0 6.2 101032 31552 ? S 09:24 0:09 /usr/sbin/mysqld
    mysql 7843 0.0 6.2 101032 31552 ? S 09:24 0:09 /usr/sbin/mysqld
    mysql 7925 0.0 6.2 101032 31552 ? S 09:25 0:10 /usr/sbin/mysqld
    mysql 8131 0.0 6.2 101032 31552 ? S 09:25 0:10 /usr/sbin/mysqld
    mysql 8176 0.0 6.2 101032 31552 ? S 09:25 0:09 /usr/sbin/mysqld
    mysql 8191 0.0 6.2 101032 31552 ? S 09:25 0:09 /usr/sbin/mysqld
    mysql 8192 0.0 6.2 101032 31552 ? S 09:25 0:09 /usr/sbin/mysqld
    mysql 8194 0.0 6.2 101032 31552 ? S 09:25 0:09 /usr/sbin/mysqld
    mysql 8217 0.0 6.2 101032 31552 ? S 09:26 0:09 /usr/sbin/mysqld
    mysql 8239 0.0 6.2 101032 31552 ? S 09:26 0:10 /usr/sbin/mysqld
    mysql 8240 0.0 6.2 101032 31552 ? S 09:26 0:11 /usr/sbin/mysqld
    mysql 8579 0.0 6.2 101032 31552 ? S 09:27 0:08 /usr/sbin/mysqld
    mysql 8588 0.0 6.2 101032 31552 ? S 09:27 0:09 /usr/sbin/mysqld
    mysql 8627 0.0 6.2 101032 31552 ? S 09:27 0:09 /usr/sbin/mysqld
    mysql 8645 0.0 6.2 101032 31552 ? S 09:27 0:09 /usr/sbin/mysqld
    mysql 8675 0.0 6.2 101032 31552 ? S 09:27 0:09 /usr/sbin/mysqld
    mysql 8841 0.0 6.2 101032 31552 ? S 09:28 0:09 /usr/sbin/mysqld
    mysql 9054 0.0 6.2 101032 31552 ? S 09:29 0:10 /usr/sbin/mysqld
    mysql 9103 0.0 6.2 101032 31552 ? S 09:29 0:09 /usr/sbin/mysqld
    mysql 9104 0.0 6.2 101032 31552 ? S 09:29 0:10 /usr/sbin/mysqld
    mysql 9178 0.0 6.2 101032 31552 ? S 09:29 0:09 /usr/sbin/mysqld
    mailnull 9454 0.0 0.3 8824 1964 ? S 09:30 0:02 eximstats
    mysql 9466 0.0 6.2 101032 31552 ? S 09:30 0:09 /usr/sbin/mysqld
    mysql 9467 0.0 6.2 101032 31552 ? S 09:30 0:09 /usr/sbin/mysqld
    mysql 9482 0.0 6.2 101032 31552 ? S 09:30 0:09 /usr/sbin/mysqld
    mysql 9483 0.0 6.2 101032 31552 ? S 09:30 0:09 /usr/sbin/mysqld
    mysql 9495 0.0 6.2 101032 31552 ? S 09:30 0:08 /usr/sbin/mysqld
    mysql 9496 0.0 6.2 101032 31552 ? S 09:30 0:10 /usr/sbin/mysqld
    mysql 9504 0.0 6.2 101032 31552 ? S 09:30 0:08 /usr/sbin/mysqld
    mysql 9811 0.0 6.2 101032 31552 ? S 09:31 0:10 /usr/sbin/mysqld
    mysql 9814 0.0 6.2 101032 31552 ? S 09:31 0:09 /usr/sbin/mysqld
    mysql 9821 0.0 6.2 101032 31552 ? S 09:31 0:09 /usr/sbin/mysqld
    mysql 9834 0.0 6.2 101032 31552 ? S 09:31 0:08 /usr/sbin/mysqld
    mysql 9840 0.0 6.2 101032 31552 ? S 09:31 0:10 /usr/sbin/mysqld
    mysql 9858 0.0 6.2 101032 31552 ? S 09:31 0:08 /usr/sbin/mysqld
    mysql 9863 0.0 6.2 101032 31552 ? S 09:31 0:08 /usr/sbin/mysqld
    mysql 9883 0.0 6.2 101032 31552 ? S 09:31 0:08 /usr/sbin/mysqld
    mysql 9886 0.0 6.2 101032 31552 ? S 09:31 0:08 /usr/sbin/mysqld
    mysql 9897 0.0 6.2 101032 31552 ? S 09:31 0:09 /usr/sbin/mysqld
    mysql 9939 0.0 6.2 101032 31552 ? S 09:31 0:11 /usr/sbin/mysqld
    mysql 9941 0.0 6.2 101032 31552 ? S 09:31 0:09 /usr/sbin/mysqld
    mysql 9950 0.0 6.2 101032 31552 ? S 09:31 0:08 /usr/sbin/mysqld
    mysql 9956 0.0 6.2 101032 31552 ? S 09:31 0:08 /usr/sbin/mysqld
    root 8973 0.0 0.1 24184 964 ? S 13:37 0:00 spamd child
    nobody 30370 0.2 0.3 6584 1812 ? S 19:13 0:00 /usr/local/apache
    nobody 30379 0.2 0.3 6756 2008 ? S 19:13 0:00 /usr/local/apache
    nobody 30382 0.1 0.4 6892 2084 ? S 19:13 0:00 /usr/local/apache
    nobody 30471 0.2 0.3 6896 1996 ? S 19:14 0:00 /usr/local/apache
    nobody 30587 0.1 0.3 6620 1768 ? S 19:14 0:00 /usr/local/apache
    nobody 30603 0.3 0.4 6880 2056 ? S 19:14 0:00 /usr/local/apache
    nobody 30604 0.4 0.4 6892 2024 ? S 19:14 0:00 /usr/local/apache
    nobody 30623 0.4 0.4 6588 2200 ? S 19:14 0:00 /usr/local/apache
    nobody 30624 0.3 0.3 6616 1836 ? S 19:14 0:00 /usr/local/apache
    nobody 30715 0.5 0.3 6584 1680 ? S 19:15 0:00 /usr/local/apache
    root 30730 0.1 0.1 6044 780 ? S 19:15 0:00 crond
    root 30736 0.1 0.1 2128 872 ? S 19:15 0:00 /bin/sh -c /usr/l
    nobody 30742 1.0 0.3 6620 1780 ? S 19:15 0:00 /usr/local/apache
    nobody 30743 0.5 0.3 6584 1736 ? S 19:15 0:00 /usr/local/apache
    root 30746 2.5 0.6 4872 3440 ? S 19:15 0:00 /usr/local/cpanel
    nobody 30767 1.4 0.3 6580 1656 ? S 19:15 0:00 /usr/local/apache
    nobody 30768 0.4 0.3 6580 1716 ? S 19:15 0:00 /usr/local/apache
    nobody 30769 0.8 0.3 6896 2000 ? S 19:15 0:00 /usr/local/apache
    nobody 30770 1.0 0.3 6580 1668 ? S 19:15 0:00 /usr/local/apache
    root 30771 1.4 0.2 2096 1064 ? S 19:15 0:00 top -n 2 -b -c
    points 30789 1.3 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30792 2.3 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30794 1.6 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30803 3.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30806 3.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30811 6.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30812 5.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30815 5.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30816 6.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30820 6.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30823 6.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30826 4.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30827 6.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30831 0.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30832 0.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    points 30834 0.0 0.5 40652 2880 ? R 19:15 0:00 /usr/bin/php nlhn
    points 30835 0.0 0.0 0 0 ? Z 19:15 0:00 [php <defunct>]
    root 30837 0.0 0.1 2856 848 pts/0 R 19:15 0:00 ps aux
    points 30838 0.0 0.1 7252 884 ? R 19:15 0:00 /usr/bin/php colu

  25. #25
    Join Date
    Jul 2005
    Posts
    364
    Is this a remote MySQL server?

    Mini

  26. #26
    Join Date
    Aug 2002
    Location
    DC
    Posts
    3,635
    These lines are of interest to me, primarily the first 2.

    points 30834 0.0 0.5 40652 2880 ? R 19:15 0:00 /usr/bin/php nlhn
    points 30838 0.0 0.1 7252 884 ? R 19:15 0:00 /usr/bin/php colu
    root 30736 0.1 0.1 2128 872 ? S 19:15 0:00 /bin/sh -c /usr/l

    Can you post "ps aux" but with the full lines showing? An easy way to show the full lines that your shell cuts off is by typing:

    ps aux | grep ""

    (that's two double quotes after grep)

    Matt

  27. #27
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    These lines are of interest to me, primarily the first 2.

    points 30834 0.0 0.5 40652 2880 ? R 19:15 0:00 /usr/bin/php nlhn
    points 30838 0.0 0.1 7252 884 ? R 19:15 0:00 /usr/bin/php colu
    root 30736 0.1 0.1 2128 872 ? S 19:15 0:00 /bin/sh -c /usr/l

    Can you post "ps aux" but with the full lines showing? An easy way to show the full lines that your shell cuts off is by typing:

    ps aux | grep ""

    (that's two double quotes after grep)

    Matt
    I think he's running phpsuexec, and the script filenames were just cut off.


    run

    netstat -nap

    as root, and tell us what it returns. If you have to, run

    netstat -nap > /usr/local/apache/htdocs/netstat.txt

    and then send us a link to netstat.txt.


    Also, make things easier to read by wrapping your output in [code] tags.

  28. #28
    I have attached the results of netstat -nap
    Attached Files Attached Files

  29. #29
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,083
    FYI.. Platinum server management is only $30/month and there are others like Rack911 that will take a quick look and not charge you a lot. I only suggest this as you either have a very naughty user or are compromised so you really need to invest in getting to the root cause of this.

    WHM, Bandim etc are not 100% accurate WHM is notoriously off as it only monitors certain ports.
    André Allen | E: aallen(a)linovus.ca
    Linovus Holdings Inc
    Shared Hosting, Reseller Hosting, VPS, Dedicated Servers & Public Cloud | USA, Canada & UK - 24x7x365 Support

  30. #30
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    Alright. do this stuff, and send us back the output.

    /usr/sbin/exim -bpc


    this will tell us how many emails are in your email queue. Could be an indicator of attacks.

    next, open up your httpd.conf, and change this section:

    Code:
    <Location /whm-server-status>
        SetHandler server-status
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    </Location>
    ExtendedStatus On
    to...

    Code:
    <Location /whm-server-status>
        SetHandler server-status
    </Location>
    ExtendedStatus On
    Save the file, and run

    /etc/init.d/httpd stop

    after a couple of seconds, run

    /etc/init.d/httpd startssl


    if it says "httpd is already running" right after you run startssl, run it repeatedly until it fully starts. It's safe to ignore virtualhost overlapse warnings.


    Next, go to http://yourserver.com/whm-server-status/ and look over all activity. Also, send us back the very top of the file, everything above the connections table.


    [edit]


    Also, run this just for the sake of stupid processes that have no business being run

    /etc/init.d/cups stop
    Last edited by ub3r; 10-24-2006 at 04:11 PM.

  31. #31
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    What is the output of,

    cat /proc/net/dev
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  32. #32
    Join Date
    Feb 2006
    Location
    Buffalo NY
    Posts
    1,348
    Try running a scanning tool like clamav, rkhunter, etc.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Let's Encrypt Sponsor.

  33. #33
    Join Date
    Apr 2005
    Posts
    81
    Install iptraf, check your current traffic levels. if they're high poke around with iptraf a bit further it should tell you what port is hoovering packets. You can then cross check it with netstat to find the culprit.

    Kev

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •