what to look out for in the log files, but a couple of things jumped out at me over the weekend:
I had 5 of these, I followed the link (I suppose is the referrer) but it takes you to a polish-hosted russian webpage that tries to infect your browser. So DONT VISIT THE WEBSITE unless you're virus checker is fully up to date!
Code:
shop.######.com: [15/Dec/2007:02:52:43 +0000] 87.118.120.23 - - "GET / HTTP/1.0" 200 21466 [url] (compatible; MSIE 6.0; Windows NT 5.2; Win64; AMD64)"
As this is only a GET, I'm not sure what the purpose of this really was.
Also I seem to be getting loads of these recently:
Code:
shop.######.com: [17/Dec/2007:08:21:41 +0000] 82.19.60.98 - - "GET /_vti_bin/index.php?main_page=page_not_found HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)"
Which I read is an automated hacker-bot checking for an unpatched MS server.
So my question is this;
What's the most effective thing we (as webmasters/hosts) can do to combat and report this sort of thing so we fight back against what's likely to be related to organised crime?
Well one of my servers has been under a DDoS attack for a while and I've been doing things to keep it down but there is a suspicious process that keeps running and I am guessing that is whats keeping the server load up because when I stop apache the load goes down but not for long.
I have a small VPS, with few websites each one with very low visitors in average less than100 visits per day
CentOS 2.6.9 Plesk PHP 5.1.6 Apache/2.2.3
Few days ago some Forum spammers signed up to one of the forums. One of them: stopforumspam.com/ipcheck/212.178.2.3
Today I was away for few 5 hours after I came back I recived a notice from my script that "SMF could not connect to the database"
I checked and I noticed almost all of my sites are not responding. MySql was working. A script on remote server which uses mysql from my server loaded but with dealy
------------------Next step------------------- log to SSH # uptime # 12:XX:XX up XXX days, 5:06, X users, load average: 10.58, 8.86, 5.86
I am an administrator/developer for a website and we are using Awstats to get the usage statistics. Lately we are getting hits from a bunch of IP Addresses which differ only in the Host ID part.
For example:
Here are the logs
Address-------Page Views----------Last visit 64.12.116.209----25------------17 Jun 2008 12:22 64.12.110.94------2------------17 Jun 2008 12:20 64.12.116.142----11------------17 Jun 2008 12:20 64.12.116.135----42------------17 Jun 2008 12:19 64.12.116.130----18------------17 Jun 2008 12:17 64.12.116.80-----11------------17 Jun 2008 12:17 64.12.116.139----15------------17 Jun 2008 12:15 64.12.116.132----16------------17 Jun 2008 12:14 64.12.116.210----33------------17 Jun 2008 12:10 64.12.116.208----21------------17 Jun 2008 12:06 64.12.116.144-----3------------17 Jun 2008 12:04 64.12.117.5------22------------17 Jun 2008 12:20 64.12.117.11-----50------------17 Jun 2008 12:16 64.12.117.8------56------------17 Jun 2008 12:08 64.12.117.207----17------------17 Jun 2008 12:07 .. ...
Notice how most of the IP addresses are 64.12.116.xxx or 64.12.117.yyy. Similarly I found addresses matching 65.55.109.zzz and a bunch more.
This is making me wonder if this is some kind of an attack (Especially since Awstats seems to say that the hosts list does not include the IP addresses of spiders/crawlers/bots)? We are concerned. Please advise.
The above Hosts List (sorted by Last Visit) was generated by using Awstats our website logs.
While there's no problem in our server sometimes loading increases extremely ( over 100 ) While my checkings i stopped the apachi and check the logs , i've seen the lines above
Quote:
[Sun Jan 28 14:26:33 2007] [error] [client 88.243.102.59] File does not exist: /home/xxxx/public_html/404.shtml [Sun Jan 28 14:27:12 2007] [error] [client 88.226.41.159] File does not exist: /home/xxxxxx/public_html/Themes/colatesi_v3/images/exp.gif [Sun Jan 28 14:27:12 2007] [error] [client 88.226.41.159] File does not exist: /home/xxxxxx/public_html/404.shtml
[Sun Jan 28 14:34:21 2007] [error] child process 20292 still did not exit, sending a SIGKILL [Sun Jan 28 14:34:21 2007] [error] child process 20105 still did not exit, sending a SIGKILL [Sun Jan 28 14:34:21 2007] [error] child process 20287 still did not exit, sending a SIGKILL [Sun Jan 28 14:34:21 2007] [error] child process 19964 still did not exit, sending a SIGKILL [Sun Jan 28 14:34:21 2007] [error] child process 20298 still did not exit, sending a SIGKILL [Sun Jan 28 14:34:21 2007] [error] child process 20106 still did not exit, sending a SIGKILL [Sun Jan 28 14:34:21 2007] [error] child process 20278 still did not exit, sending a SIGKILL [Sun Jan 28 14:34:21 2007] [error] child process 20279 still did not exit, sending a SIGKILL [Sun Jan 28 14:34:21 2007] [error] child process 20299 still did not exit, sending a SIGKILL [Sun Jan 28 14:34:21 2007] [error] child process 20281 still did not exit, sending a SIGKILL [Sun Jan 28 14:34:21 2007] [error] child process 20110 still did not exit, sending a SIGKILL [Sun Jan 28 14:34:21 2007] [error] child process 20111 still did not exit, sending a SIGKILL
[Sun Jan 28 14:34:22 2007] [error] could not make child process 19022 exit, attempting to continue anyway [Sun Jan 28 14:34:22 2007] [error] could not make child process 19077 exit, attempting to continue anyway [Sun Jan 28 14:34:22 2007] [notice] caught SIGTERM, shutting down
We're currently looking into migrating a two-server HA setup to something VPS-based, mainly because we'd like to leave the HA stuff (data replication to hot-standby server, fail-over) to the hoster.
We hope to find somebody that hosts VPSs on a cluster of machines, replicates the VPS filesystems to a hot-standby node and, in case of cluster node failure, simply reboots the VPSs that the failed cluster node took with it on the hot-standby node. To us from inside the VPS this would then simply look like a single highly available server. No more database replication, etc.
The only company that offers this seems to be thomas-krenn.com. If I understand them correctly, they build two-server Linux clusters, run Virtuozzo on both servers and replicate the filesystem of the VPSs by means of DRBD from the active cluster node to the hot-standby node. In case of failure of the active node the VPSs are booted on the hot-standby node. So, I should be up and running again in a matter of minutes, probably after a filesystem check.
This sounds pretty intriguing to me and I wonder whether this is as good as it sounds. Does anybody have any experience with thomas-krenn.com and their clustered VPS offering?
Do you know of anybody else that offers something like this? Sounds like a logical next step in VPS hosting to me, so there should be other people with the same idea.
I guess that the grid/utility computing people out there do something similar.
However, most reviews of these companies that I've read were pretty devastating.
I posted a review about Tailor Made Servers (TMS) back in December of 2008 however it was wiped out during the infamous "WHT Incident" but I see that it has returned, although in a very incomplete state. Here is a repost of the original review along with a few minor changes to celebrate our 2 year anniversary! (Changes made to original review will have a red font color.)
Technical Support [10/10]:
First things first, TMS are an un-managed provider so don't expect any hand holding if you run into some obscure software or operating system problems. That's not to say TMS wouldn't help you, I'm sure they would to some extent, but it should never be expected from an un-managed provider.
We have a total of 74 tickets recorded with TMS since April of 2007. Twelve of those tickets were high priority requests to either manually reboot a server or check the console. Three of those high priority tickets were false alarms, but the other seven tickets were all answered within a few minutes at the very most.
When I say the tickets were answered, I don't mean a canned reply of "We're looking into it!" then an hour later someone decides to start working on it and then another hour later it's finally resolved. If you submit a high priority ticket, it's given immediate attention and resolved as fast as humanly possible.
Manual reboots take on average 10 minutes, some have been performed in a couple of minutes while the longest we ever had to wait was about 15 minutes which is what they advertise. There have only been a couple of hardware issues, a failing NIC was recently replaced in under 15 minutes, a server died last month and a chassis swap was done in under 3 hours. Hard to find any faults here - the technical support & response times are very reassuring and above average when compared to a lot of other un-managed providers.
Network & Uptime [10/10]:
TMS are located in the prestigious Colo4Dallas facility and using an impressive blend of InterNAP, Level3, Time Warner and XO Communications for bandwidth providers. There are also InterNAP FCP devices in use to attempt to provide the most efficient routing possible and also work around any problems thanks to its intelligent routing capabilities. This differs from BGP in the sense that BGP will always provide the shortest path possible - not necessarily the best path.
The latency and throughput are what you would expect from a reasonably multi-homed provider in Texas. Typical response times to my location in Ontario, Canada are about 60ms while response times to the United Kingdom are around 110ms. Average response times to other parts of the US are nothing short of impressive, 25ms to Chicago, 35ms to Los Angeles, 20ms to Atlanta and 50ms to Seattle.
There was a network blip on March 31, 2009 that caused some instability due to an apparent network upgrade that went wrong. These things do happen, however I feel that communication could have been a bit better in terms of notifying clients in advance. Outside of that one issue the last significant outage was in May of 2007 when a faulty router module had to be replaced and the downtime was a little under 1 hour. TMS clearly has a solid network and should satisfy everyone from web hosting providers looking for maximum uptime to die hard gamers looking for the lowest latency possible.
Hardware Quality & Deployment [10/10]:
All of the newer servers are Dell so you know you're getting quality hardware. The hard drives are a mix of new and old, but they all work perfectly fine with no S.M.A.R.T errors detected using multiple short & long tests. Some people would prefer to always have brand new hard drives, but that's not very economical for a lot of providers and I'm totally OK with that.
Servers are deployed extremely fast during business hours. In most cases if you order a server in the morning, it'll be setup later that afternoon. I've never had to wait more than 6 hours for a server, but I tend to order in the morning so I can't comment on how fast deployments are later in the day or on weekends.
The best deals for TMS are listed under the Dedicated Hosting Offers forum and not on their website, so be sure to check them out. Ordering a server from TMS is completely hassle free and straight forward. You pick the server configuration, pay via PayPal or Credit Card and wait for deployment. There's no faxing or scanning of documents and what not for verification of orders - but I'm sure JoseQ does his own fraud screening.
Overall [9/10]
I can't say enough good things about Tailor Made Servers! The staff is very knowledgeable and genuinely shows that they care, the response times are nothing short of incredible and I can honestly say I sleep better at night knowing our servers are in good hands if something goes wrong.
It truly is a great feeling not always having to worry about network problems, or how long it's going to take to get a manual reboot done, or replace failing hardware if need be. TMS are on top of their game, definitely one of the most underrated and under mentioned providers on WHT!
Why did I rate TMS 9 out of 10 after this glowing review? Well, there's always room for improvement and I don't think it's realistic to rate any provider a 10 out of 10. So what can be improved? When I first posted this review last year, I mentioned that KVM access would be nice and I believe they have since been added - perhaps JoseQ can clarify on that. You know, I honestly can't think of anything major I would like to see improved at this point.
That's pretty much it; if you're looking for an unrivaled dedicated server provider definitely take a look at Tailor Made Servers! Their best deals are always under the Dedicated Hosting Offers forum so be sure to check that out or send TMS - JoseQ a message to see what they can do for you. You have my word, you will not be disappointed and the only regret you'll ever have with TMS is not signing up earlier.
Tailor Made Servers - TMS - 1 Year and 8 Month Review - Highly Recommended!
Here's my long overdue review for Tailor Made Servers [url] and I'd like to urge everyone looking for a high quality unmanaged provider to take a few minutes to read this. I'm terrible at writing long posts, so I apologize if this review is a bit all over the place - it's just so hard to contain my excitement!
Technical Support [10/10]: First things first, TMS are an unmanaged provider so don't expect any hand holding if you run into some obscure software or operating system problems. That's not to say TMS wouldn't help you, I'm sure they would to some extent, but it should never be expected from an unmanaged provider.
We have a total of 57 tickets recorded with TMS since April of 2007. Ten of those tickets were high priority requests to either manually reboot a server or check the console. Three of those high priority tickets were false alarms, but the other seven tickets were all answered within a few minutes at the very most.
When I say the tickets were answered, I don't mean a canned reply of "We're looking into it!" then an hour later someone decides to start working on it and then another hour later it's finally resolved. If you submit a high priority ticket, it's given immediate attention and resolved as fast as humanly possible.
Manual reboots take on average 10 minutes, some have been performed in a couple of minutes while the longest we ever had to wait was about 15 minutes which is what they advertise. There have only been a couple of hardware issues, a failing NIC was recently replaced in under 15 minutes, a server died last month and a chassis swap was done in under 3 hours. Hard to find any faults here - the technical support
my Windows 2003 server is showing a very steady amount of action on Port 1028 and Port 135.
The Process is listed as "Unknown" with a PID of 0 The Local IP is 127.0.0.1 The Remote IP is 127.0.0.1 The Remote Port is either 1028 or 135 The State is "TIME_WAIT" The Protocol is TCP
The path to the executable is blank. At any given time there are at least 20 active processes of this. The virus scan says all is well.
I am interested in setup user activity limits to avoid peaks on the server load, I have readen a lot about PAM and limits.conf but still have no idea on how set this limits. Most of the examples are similar to this page http://www.seifried.org/lasg/users/ but they are still confusing to me
>> I would like to setup rules like this:
Customers may not use more than 2% CPU daily, 3% memory daily, run more than 10 simultaneous processes per user, allow any process to run for longer than 30 CPU seconds, run any process that consumes more than 20% of available CPU at any time, or run any process that consumes more than 16 MB of memory.
Last week, we received a letter [url] from Companies House (the UK entity which governs companies).
It was addressed to Exoware, with all the correct contact details, reminding me to submit statutory documents by a certain date or face a fine and/or prosecution. It was sent to us, because apparently, Exoware is a director of Jarhosts limited. This is not true. We have never even heard of Jarhosts limited up to this point, but it appears they had ceased trading by the time we received the letter.
A few emails were exchanged between us and Companies House, which didn't really get us anywhere as they couldn't seem to understand our position, so I phoned them up myself. I got through to someone and explained our position and she informed me about the company and said they registered Exoware as a director of Jarhosts limited on 05/12/08 and they themselves promptly resigned from the company afterwards, so Exoware was the only remaining director.
After I declared that Exoware had no affiliation whatsoever with Jarhosts limited, she promptly forwarded the case to a department for dealing with fraudulent documents and said the company will dissolve soon and that we may hear from Companies House fraud department in the future.
So, my concerns are now at ease, but my curiosity still remains.
Does anybody know Jarhosts; how long they were around for, who they were owned by, or any relevant information about them? Or does anybody know of any reason that people would sign up a random business in the same industry as a director before bailing out of their own company? It all seems very obscure.
I have a dedicated box with Fasthosts and they tell me they've detected that the server is talking out to other networks via IRC although there's no activity on port 53.
Can anyone point me in the right direction of steps to take to find out what this is and eliminate it?
Recent changes to server include... Started SpamAssassin (with network checks on - could these be the cause?) Installed Mongrel as a proxy server for RoR apps and configured Apache on port 80 to make use of two Mongrel processes.
Some other data about server as requested on sticky thread on this board:
Linux OS: Fedora Core 6 Kernel: 2.6.18-1.2798.fc6 Control Panel: Matrix LSA
On Cpanel/WHM. I have just moved from a VPS to a dedicated server. I reinstalled munin, so get some stats via that. I used to have apachetop loaded on my VPS for when I wanted a 'near realtime' streaming view of apache access.
I'm wondering what the best solution is to get a good view of apache, like what apachetop did, plus also it would be nice to have a real-time monitor of MySQL activity, HDD activity (such as I/O queues, etc. Something along the lines of the perfmon on Windows servers.
What is my best option?
Also, with Nagios, when I look at the website, it seems there are two options. Load it on a single server and then load the stats via [url]or have the Nagios 'stat collector' on one machine, and have it gathering stats from multiple machines.
If you only install it on a single dedicated server, do you really have to be on the console and connect to the Nagios stats via localhost, rather than connecting remotely? Ideally, I would like a quick, easy to setup solution, but if it takes some configuring, I can deal with it, as long as there is some documentation. My main goal is to get the real time type monitoring, you get with window's perfmon.
I wanted to share a little about my experience with VistaPages Web Hosting. I have a wonderful experience with them as a client, I started a new website last year and searched for a server host for the site and I came accross VistaPages and I am so happy I did. Their service is by far the best I have experienced so far, they really care about their customers, very professional. I ran into a little problem with the script I purchased from another Company for the website, they wanted to charge me again for a reinstall and I didn't really want to do that, so I contacted VistaPages about the problem I had with the website's script and told them that they wanted to charge me again, to my surprise VistaPages went out of their way and reinstalled the script for me at no cost, I couldn't believe they would do that for me but they did, they really care about their customers. The support staff always respond quickly and take care of any problems that arise. They are very courteous, professional, and most importantly very caring to your needs and concerns. One of the most important features of a web hosting company is their knowledge, VistaPages is the best that is out there, they really know all the aspects that is required of a web hosting company. I just started another website and I contacted them immediately to host the new site, with VistaPages hosting your websites you can;t help but have success! I would highly recommend them as a web hosting company for your websites.
Running programs named Perl with Heavy CPU usage, with the ownership of user apache.
We found the problem on Fedora 3 and Fedora 6.
In our case, it was the result of a Trojan activity.
Quick Solution
Check the cron jobs of user apache crontab -u apache -e */1 * * * * perl /tmp/.tmp/tmpfile delete the cronjob entry. Also delete the file /tmp/.tmp/tmpfile also added "apache" to the file /etc/cron.deny
I couldn't keep my mouth shut (technically fingers). A customer wanted to upgrade servers and he needed a way to move the data across. Since I don't allow hard drives to be swapped, they have to do it manually all by themselves. I generally allow up-to 4 days for them to transfer data and make DNS changes, etc. But this time, I offered help! I agreed to move the data (darn me) and it just came out of me, involuntarily.
God knows what just happened... but in a positive way, customer is extremely happy!
So...
Both servers are on cPanel - with root access (duh)
200 odd files which total to 25 GB
1 database about 100 MB in size (no biggie)
I was planning on using one of my Windows 2003 servers (via remote desktop) to download the 25 GB and upload the 25 GB, but that sounds like a waste of resources and time.
When I upload a file in FTP I can not see the file, When I upload the file again asked me to file any replaced it exists, When using Cpanel can upload any file, And working well.
When watching the size of folders I find little in the FTP but sized Cpanel see him very different.
I found that recently a lot of nobody files appear in my /tmp.
I delete and delete.. by still same. I don't know how to trace where they from. I suspect is from my hosting users, but I don't know how to check and trace. Anybody can give me some guide?