How can I get rootkit hunter to email me the results?
I tried
MAILTO=me@mydomain
0 0 * * * /root/rkhunter-1.3.2/files/rkhunter --cronjob
and
MAILTO=me@mydomain 0 0 * * * /root/rkhunter-1.3.2/files/rkhunter --cronjob
But it is not sending the email, nothing even show up in my exim_mainlog.
how i can install rootkit hunter on centOs?
and is it different with CHKROOTKIT?
how to correct it?
Code:
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for prerequisites [ Warning ]
The file of stored file properties (rkhunter.dat) does not exist, and so must be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter '--check' option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
I was thinking of getting one of our server admins to install the Rootkit Hunter.
Would this have any effect on our server resources and stability.
Im trying to be more security minded after afew weeks ago when our server was hijacked, and I dont want to go through this again.
How can I stop the rootkit hunter false positives?
It is alerting on these, on a fresh OS install:
Checking for prerequisites [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
2009/05/19 03:15:01 ossec-rootcheck: No rootcheck_files file: './db/rootkit_files.txt'
2009/05/19 03:15:01 ossec-rootcheck: No rootcheck_trojans file: './db/rootkit_trojans.txt'
How can i 'fix' this?
other options over chkrootkit and rkhunter since they are pretty outdated, and so far have found:
Curuncula:
[url]
Unhide:
[url]
What is a rootkit? The following link is a very good read to answer that question.
http://linux.oreillynet.com/pub/a/li...4/rootkit.html
In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.
Usage:
1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense
Now scan your system:
1. cd /usr/local/chkrootkit
2. ./chkrootkit
chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.
Part 2 - automated chkrootkit, and emailed results.
I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.
Usage:
1. vi /etc/cron.daily/chkrootkit
2. add the following code.
Code:
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
3. chmod 0755 /etc/cron.daily/chkrootkit
This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
Removal:
If you don't like getting the emails or just want to remove this from your server:
1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit
All files will now be deleted from your server.
I was following this guide: url]
It's very nice but, 4 years old. So now I am wondering what is best rookit detector, and what is best firewall for centOS 5.
My Windows VPS has come under heavy attack by hackers trying to get through MSFTPSVC for the past month and they finally managed to somehow get in 2 days ago. Somehow, the "Allow anonymous login" setting was selected in my FTP settings and they got in.
They even managed to turn off my firewall. I guessing they used a buffer overflow or some other Windows Server 2003 weakness that was fixed in SP2 (too bad SP2 is'nt supported by SWSoft yet).
The attacks began less than 1 week after I had signed up with Virpus. I did'nt even have my domain name pointing to the server or a site up when the first set of dictionary attacks began. How common is that 0_0 ?
Anyway, since I now know they've gotten in I've run a virus check and everything looks clean but I really want to run some kind of root kit detection software. I've tried everything suggested on the antirootkit website but none of them seem to work on a VPS.
trying to secure my new server that will be opening for shared hosting.
So far I've found:
CHKRootKit, RKHunter, and ClamAV
As for Firewall, I've setup CSF but my question is, what is a good setting for blocking SYN Floods without blocking clients who might be browsing their site and, using DA, and FTP.
In the past I've used:
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 3/s --limit-burst 5 -j DROP
and took down some pretty big attacks, but it was very touchy.
For securities purposes whats best to install?
Feel free to suggest any others.
Server is running cpanel
Possible root kit, what can I do?
Sorry for the long post, but I need some feedback.
One of the main reasons that I went from a windows dedicated server to a VPS was because I had several attacks on my server that cost lots of time and money. The only reason to these attacks was that it has to be a root kit in one of the programs I used on my server.
I have used SolarVPS for over 6 months now, and have used most of the same software I used on my dedicated server. I have not had any attacks or somebody gaining access to my VPS.
Last week I got a new Windows VPS from JaguarPC. I installed the same software as always (I will list the software later) and day two of my new VPS somebody had full access, had created a new admin user, installed Utorrent, downloaded and uploaded over 10 GB of movies and music before I discovered the security issue.
Beside my normal software I had downloaded a free downloadmanager, so I could download my plesk backup files faster than on a single download connection. That was the only other software beside my normal software.
But I never used that download manager on my dedicated server, but the same thing happened there also. A user got full access, created a new admin user for remote desktop, etc. I also use different password for the different VPS/DS/hosting plans, but some parts of the main level password is the same.
Last time the user was names support, this time the user was named Dave
I change password often, this year I have changed my password 4-5 times. I have different password for different levels on my VPS/servers. On password for Admin, one for Plesk, one for FTP access to my sites, one for e-mail, one for MySQL etc etc.
I have changed OS at home from XP to Vista, and have only installed 100% secure programs at my home computer. I have not installed one free program or any cracks, warez etc. I also use different antivirus and anti spyware software at home. So the problem can most likely not be at my home computers.
My current software I use on my VPS’s are: (I have some more, but that was the software I used on new VPS)
WinRar 3.61 from [url]
Bandwidth monitor Pro from [url]
Weblog Expert 4.1 from [url]
And the only software I don’t use on my VPS at SolarVPS:
Free Download Manager from [url]
The strange thing is that last time, over 6-7 months ago when I had all the problems with my dedicated server, I traced the IP the hackers had used to login to my DS to Germany.
This time on my new VPS the person has to be from Germany or on country they speak German. The mp3s and the movies where almost all in German.
My plan for the future:
I think I will buy a new VPS plan to test my software. Install one and one software, and see when somebody get access to my VPS. I have to use a provider that offer free OS reloads, so I can reload the OS after I have tested one and one of my programs.
Do anybody know about any companies that allow me to get free OS reloads and provide a Windows 2003 server?
Or will the backup function in VZPP work as OS reload if I take a backup of my new clean VPS and then install software. If it is a rootkit, and I restore, will the rootkit go away? If yes, I can use all providers with VZPP.
And do I have to tell the company what I have planned to do? A rootkit on my VPS will not affect other VPS, so they can get the same rootkit, or the main server?
Is there a way to page results from ls through FTP similar to the way you can in your shell by using ls | less (or ls -l | more)? When I try ls | less through FTP, even on a linux server, it wants to output to a local file?
View 3 Replies View Related##################################################################
--------------------- Selinux Audit Begin ------------------------
Number of audit daemon stops: 4
**Unmatched Entries**
Error sending failure mode request (Connection refused)
Unable to set audit pid, exiting
Cannot daemonize (Success)
Error sending failure mode request (Connection refused)
Error sending failure mode request (Connection refused)
Unable to set audit pid, exiting
Cannot daemonize (Success)
Error sending failure mode request (Connection refused)
---------------------- Selinux Audit End -------------------------
--------------------- Cron Begin ------------------------
Commands Run:
User *system*:
personal crontab reloaded: 2 Time(s)
User agadirnet:
personal crontab listed: 1 Time(s)
User dafatir:
personal crontab listed: 1 Time(s)
User drweb:
/opt/drweb/update.pl: 37 Time(s)
User kari:
personal crontab listed: 1 Time(s)
User karicom:
personal crontab listed: 1 Time(s)
User kastala:
personal crontab listed: 1 Time(s)
User mailman:
/usr/lib/mailman/cron/checkdbs: 1 Time(s)
/usr/lib/mailman/cron/disabled: 1 Time(s)
/usr/lib/mailman/cron/gate_news: 223 Time(s)
/usr/lib/mailman/cron/nightly_gzip: 1 Time(s)
User root:
/opt/php51/bin/php5
/usr/local/sitebuilder/utils/clear_trial_sites.php > /dev/null 2>&1: 19
Time(s)
/opt/php51/bin/php5 /usr/local/sitebuilder/utils/sip1.php >
/dev/null 2>&1: 1 Time(s)
/opt/php51/bin/php5 /usr/local/sitebuilder/utils/sip2.php >
/dev/null 2>&1: 1 Time(s)
/opt/php51/bin/php5 /usr/local/sitebuilder/utils/update_key.php >
/dev/null 2>&1: 1 Time(s)
/usr/local/psa/admin/sbin/backupmng >/dev/null 2>&1: 74 Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/clean-events: 1
Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/clean-sysstats: 1
Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/pack-sysstats day: 1
Time(s)
/usr/local/rtm/bin/rtm 40 >/dev/null 2>/dev/null: 1116 Time(s)
/usr/local/sbin/bfd -q: 112 Time(s)
/usr/sbin/ntpdate -b -s 213.186.33.99: 1 Time(s)
run-parts /etc/cron.daily: 1 Time(s)
run-parts /etc/cron.hourly: 18 Time(s)
CRON Restarted 2 Time(s)
---------------------- Cron End -------------------------
--------------------- httpd Begin ------------------------
0.07 MB transferred in 211 responses (1xx 0, 2xx 26, 3xx 173, 4xx 12,
5xx 0)
148 Images (0.00 MB),
62 Content pages (0.07 MB),
1 Other (0.00 MB)
Requests with error response codes
400 Bad Request
/vb/Juice/images/editor/bold.gif: 1 Time(s)
/w00tw00t.at.ISC.SANS.DFind: 1 Time(s)
404 Not Found
/admin/phpmyadmin/main.php: 1 Time(s)
[url]
---------------------- httpd End -------------------------
--------------------- Kernel Begin ------------------------
2 Time(s): PrefPort:A RlmtMode:Check Link State
2 Time(s): Virtual Wire compatibility mode.
2 Time(s): autonegotiation: yes
2 Time(s): duplex mode: full
2 Time(s): flowctrl: none
2 Time(s): ide0: BM-DMA at 0xfc00-0xfc07, BIOS settings: hda:pio,
hdb:pio
2 Time(s): ide1: BM-DMA at 0xfc08-0xfc0f, BIOS settings: hdc:pio,
hdd:pio
2 Time(s): irq moderation: disabled
2 Time(s): rx-checksum: disabled
2 Time(s): scatter-gather: disabled
2 Time(s): speed: 100
2 Time(s): tx-checksum: disabled
1 Time(s): pIII_sse : 4821.000 MB/sec
1 Time(s): pIII_sse : 4822.000 MB/sec
2 Time(s): IO window: e000-efff
2 Time(s): MEM window: fbf00000-fbffffff
2 Time(s): PREFETCH window: 20000000-200fffff
2 Time(s): Type: Direct-Access ANSI SCSI
revision: 05
2 Time(s): Vendor: ATA Model: Hitachi HDS72168 Rev: P21O
2 Time(s): BIOS-e820: 0000000000000000 - 000000000009fc00 (usable)
2 Time(s): BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
2 Time(s): BIOS-e820: 00000000000e6000 - 0000000000100000 (reserved)
2 Time(s): BIOS-e820: 0000000000100000 - 000000001f7b0000 (usable)
2 Time(s): BIOS-e820: 000000001f7b0000 - 000000001f7c0000 (ACPI data)
2 Time(s): BIOS-e820: 000000001f7c0000 - 000000001f7f0000 (ACPI NVS)
2 Time(s): BIOS-e820: 000000001f7f0000 - 000000001f800000 (reserved)
2 Time(s): BIOS-e820: 00000000ffb80000 - 0000000100000000 (reserved)
2 Time(s): sda: sda1 sda2 sda3
2 Time(s): ..TIMER: vector=0x31 apic1=0 pin1=2 apic2=0 pin2=0
2 Time(s): 0MB HIGHMEM available.
2 Time(s): 3ware 9000 Storage Controller device driver for Linux
v2.26.02.007.
2 Time(s): 3ware Storage Controller device driver for Linux
v1.26.02.001.
2 Time(s): 503MB LOWMEM available.
2 Time(s): ATA: abnormal status 0x7F on port 0xD407
2 Time(s): Adding 522104k swap on /dev/sda3. Priority:-1 extents:1
across:522104k
2 Time(s): Allocating PCI resources starting at 20000000 (gap:
1f800000:e0380000)
2 Time(s): BIOS-provided physical RAM map:
2 Time(s): Brought up 1 CPUs
2 Time(s): Built 1 zonelists. Total pages: 128944
2 Time(s): CPU0: Intel P4/Xeon Extended MCE MSRs (24) available
2 Time(s): CPU0: Intel(R) Pentium(R) 4 CPU 3.00GHz stepping 09
2 Time(s): CPU: L2 cache: 1024K
2 Time(s): CPU: Physical Processor ID: 0
2 Time(s): CPU: Trace cache: 12K uops, L1 D cache: 16K
1 Time(s): Calibrating delay using timer specific routine.. 5989.49
BogoMIPS (lpj=11978986)
1 Time(s): Calibrating delay using timer specific routine.. 5989.50
BogoMIPS (lpj=11979013)
2 Time(s): Checking 'hlt' instruction... OK.
2 Time(s): Checking if this processor honours the WP bit even in
supervisor mode... Ok.
2 Time(s): Compat vDSO mapped to ffffe000.
2 Time(s): Console: colour VGA+ 80x25
2 Time(s): Copyright (c) 1999-2005 LSI Logic Corporation
2 Time(s): Copyright (c) 1999-2006 Intel Corporation.
2 Time(s): DMI 2.3 present.
2 Time(s): Dentry cache hash table entries: 65536 (order: 6, 262144
bytes)
1 Time(s): Detected 2992.767 MHz processor.
1 Time(s): Detected 2992.772 MHz processor.
2 Time(s): Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
2 Time(s): ENABLING IO-APIC IRQs
2 Time(s): EXT3 FS on sda1, internal journal
2 Time(s): EXT3 FS on sda2, internal journal
2 Time(s): EXT3-fs: INFO: recovery required on readonly filesystem.
4 Time(s): EXT3-fs: mounted filesystem with ordered data mode.
2 Time(s): EXT3-fs: recovery complete.
1 Time(s): EXT3-fs: sda1: 4 orphan inodes deleted
1 Time(s): EXT3-fs: sda1: orphan cleanup on readonly fs
2 Time(s): EXT3-fs: write access will be enabled during recovery.
2 Time(s): Enabling APIC mode: Flat. Using 1 I/O APICs
2 Time(s): Enabling fast FPU save and restore... done.
2 Time(s): Enabling unmasked SIMD FPU exception support... done.
2 Time(s): ExtINT not setup in hardware but reported by MP table
2 Time(s): Freeing SMP alternatives: 20k freed
2 Time(s): Freeing unused kernel memory: 220k freed
2 Time(s): Fusion MPT SAS Host driver 3.04.01
2 Time(s): Fusion MPT SPI Host driver 3.04.01
2 Time(s): Fusion MPT base driver 3.04.01
2 Time(s): Fusion MPT misc device (ioctl) driver 3.04.01
2 Time(s): I/O APIC #2 Version 32 at 0xFEC00000.
2 Time(s): ICH5: IDE controller at PCI slot 0000:00:1f.1
2 Time(s): ICH5: chipset revision 2
2 Time(s): ICH5: not 100% native mode: will probe irqs later
2 Time(s): IP route cache hash table entries: 4096 (order: 2, 16384
bytes)
2 Time(s): IPv4 over IPv4 tunneling driver
2 Time(s): Initializing CPU#0
2 Time(s): Initializing Cryptographic API
2 Time(s): Inode-cache hash table entries: 32768 (order: 5, 131072
bytes)
2 Time(s): Intel MultiProcessor Specification v1.4
2 Time(s): Intel machine check architecture supported.
2 Time(s): Intel machine check reporting enabled on CPU#0.
2 Time(s): Intel(R) PRO/1000 Network Driver - version 7.1.9-k4-NAPI
2 Time(s): Kernel command line: auto BOOT_IMAGE=linux ro root=801 nousb
2 Time(s): Linux agpgart interface v0.101 (c) Dave Jones
2 Time(s): Linux version 2.6.18.1-xxxx-grs-ipv4-32
(root@kernel-32.ovh.net) (version gcc 3.3.5 (Debian 1:3.3.5-13)) #2 SMP
Fri Nov 3 23:04:19 CET 2006
2 Time(s): Memory: 506412k/515776k available (2860k kernel code, 8896k
reserved, 1080k data, 220k init, 0k highmem)
2 Time(s): Mount-cache hash table entries: 512
2 Time(s): NET: Registered protocol family 1
2 Time(s): NET: Registered protocol family 16
2 Time(s): NET: Registered protocol family 17
2 Time(s): NET: Registered protocol family 2
2 Time(s): Netfilter messages via NETLINK v0.30.
2 Time(s): OEM ID: ASUSTeK Product ID: APIC at: 0xFEE00000
2 Time(s): PCI quirk: region 0480-04bf claimed by ICH4 GPIO
2 Time(s): PCI quirk: region 0800-087f claimed by ICH4 ACPI/GPIO/TCO
2 Time(s): PCI->APIC IRQ transform: 0000:00:02.0[A] -> IRQ 16
2 Time(s): PCI->APIC IRQ transform: 0000:00:1f.1[A] -> IRQ 18
2 Time(s): PCI->APIC IRQ transform: 0000:00:1f.2[A] -> IRQ 18
2 Time(s): PCI->APIC IRQ transform: 0000:01:0d.0[A] -> IRQ 23
2 Time(s): PCI: Bridge: 0000:00:1e.0
2 Time(s): PCI: Enabling device 0000:00:1f.1 (0005 -> 0007)
2 Time(s): PCI: Ignore bogus resource 6 [0:0] of 0000:00:02.0
2 Time(s): PCI: Ignoring BAR0-3 of IDE controller 0000:00:1f.1
2 Time(s): PCI: PCI BIOS revision 2.10 entry at 0xf0031, last bus=1
2 Time(s): PCI: Probing PCI hardware
2 Time(s): PCI: Transparent bridge - 0000:00:1e.0
2 Time(s): PCI: Using IRQ router PIIX/ICH [8086/24d0] at 0000:00:1f.0
2 Time(s): PCI: Using configuration type 1
2 Time(s): PID hash table entries: 2048 (order: 11, 8192 bytes)
2 Time(s): Processor #0 15:4 APIC version 20
2 Time(s): Processors: 1
2 Time(s): Real Time Clock Driver v1.12ac
4 Time(s): SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
4 Time(s): SCSI device sda: drive cache: write back
2 Time(s): SCSI subsystem initialized
2 Time(s): SGI XFS with large block numbers, no debug enabled
2 Time(s): SMP alternatives: switching to UP code
2 Time(s): Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ
sharing disabled
2 Time(s): Setting up standard PCI resources
2 Time(s): Software Watchdog Timer: 0.07 initialized. soft_noboot=0
soft_margin=60 sec (nowayout= 0)
2 Time(s): TCP bic registered
2 Time(s): TCP bind hash table entries: 8192 (order: 4, 65536 bytes)
2 Time(s): TCP established hash table entries: 16384 (order: 5, 131072
bytes)
2 Time(s): TCP reno registered
2 Time(s): TCP: Hash tables configured (established 16384 bind 8192)
2 Time(s): Time: tsc clocksource has been installed.
1 Time(s): Total of 1 processors activated (5989.49 BogoMIPS).
1 Time(s): Total of 1 processors activated (5989.50 BogoMIPS).
2 Time(s): Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2
2 Time(s): Using IPI Shortcut mode
2 Time(s): VFS: Disk quotas dquot_6.5.1
2 Time(s): VFS: Mounted root (ext3 filesystem) readonly.
2 Time(s): ata1: SATA max UDMA/133 cmd 0xD400 ctl 0xD002 bmdma 0xC000
irq 18
2 Time(s): ata2.00: ATA-7, max UDMA/133, 160836480 sectors: LBA48 NCQ
(depth 0/32)
2 Time(s): ata2.00: ata2: dev 0 multi count 16
2 Time(s): ata2.00: configured for UDMA/133
2 Time(s): ata2: SATA max UDMA/133 cmd 0xC800 ctl 0xC402 bmdma 0xC008
irq 18
2 Time(s): ata_piix 0000:00:1f.2: MAP [ P0 -- P1 -- ]
2 Time(s): device-mapper: ioctl: 4.7.0-ioctl (2006-06-24) initialised:
dm-devel@redhat.com
2 Time(s): drivers/rtc/hctosys.c: unable to open rtc device (rtc0)
2 Time(s): e100: Copyright(c) 1999-2005 Intel Corporation
2 Time(s): e100: Intel(R) PRO/100 Network Driver, 3.5.10-k2-NAPI
2 Time(s): eth0: Yukon Gigabit Ethernet 10/100/1000Base-T Adapter
2 Time(s): eth0: network connection up using port A
2 Time(s): floppy0: no floppy controllers found
2 Time(s): found SMP MP-table at 000ff780
2 Time(s): ide: Assuming 33MHz system bus speed for PIO modes; override
with idebus=xx
2 Time(s): io scheduler anticipatory registered (default)
2 Time(s): io scheduler cfq registered
2 Time(s): io scheduler deadline registered
2 Time(s): io scheduler noop registered
2 Time(s): ip_conntrack version 2.4 (4029 buckets, 32232 max) - 224
bytes per conntrack
2 Time(s): ip_tables: (C) 2000-2006 Netfilter Core Team
4 Time(s): kjournald starting. Commit interval 5 seconds
2 Time(s): klogd 1.4.1, log source = /proc/kmsg started.
2 Time(s): loop: loaded (max 8 devices)
4 Time(s): md: ... autorun DONE.
4 Time(s): md: Autodetecting RAID arrays.
4 Time(s): md: autorun ...
2 Time(s): md: bitmap version 4.39
2 Time(s): md: linear personality registered for level -1
2 Time(s): md: md driver 0.90.3 MAX_MD_DEVS=256, MD_SB_DISKS=27
2 Time(s): md: multipath personality registered for level -4
2 Time(s): md: raid0 personality registered for level 0
2 Time(s): md: raid1 personality registered for level 1
2 Time(s): md: raid4 personality registered for level 4
2 Time(s): md: raid5 personality registered for level 5
2 Time(s): md: raid6 personality registered for level 6
2 Time(s): megasas: 00.00.03.01 Sun May 14 22:49:52 PDT 2006
2 Time(s): mice: PS/2 mouse device common for all mice
2 Time(s): migration_cost=0
2 Time(s): monitor/mwait feature present.
2 Time(s): mptctl: /dev/mptctl @ (major,minor=10,220)
2 Time(s): mptctl: Registered with Fusion MPT base driver
2 Time(s): raid5: automatically using best checksumming function:
pIII_sse
1 Time(s): raid5: using function: pIII_sse (4821.000 MB/sec)
1 Time(s): raid5: using function: pIII_sse (4822.000 MB/sec)
1 Time(s): raid6: int32x1 862 MB/s
1 Time(s): raid6: int32x1 863 MB/s
2 Time(s): raid6: int32x2 795 MB/s
2 Time(s): raid6: int32x4 708 MB/s
1 Time(s): raid6: int32x8 543 MB/s
1 Time(s): raid6: int32x8 544 MB/s
1 Time(s): raid6: mmxx1 1831 MB/s
1 Time(s): raid6: mmxx1 1840 MB/s
2 Time(s): raid6: mmxx2 2122 MB/s
2 Time(s): raid6: sse1x1 1057 MB/s
1 Time(s): raid6: sse1x2 1208 MB/s
1 Time(s): raid6: sse1x2 1210 MB/s
1 Time(s): raid6: sse2x1 2099 MB/s
1 Time(s): raid6: sse2x1 2101 MB/s
1 Time(s): raid6: sse2x2 2252 MB/s
1 Time(s): raid6: sse2x2 2254 MB/s
1 Time(s): raid6: using algorithm sse2x2 (2252 MB/s)
1 Time(s): raid6: using algorithm sse2x2 (2254 MB/s)
2 Time(s): scsi0 : ata_piix
2 Time(s): scsi1 : ata_piix
2 Time(s): sd 1:0:0:0: Attached scsi disk sda
4 Time(s): sda: Write Protect is off
2 Time(s): serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
2 Time(s): serio: i8042 AUX port at 0x60,0x64 irq 12
2 Time(s): serio: i8042 KBD port at 0x60,0x64 irq 1
2 Time(s): tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
2 Time(s): tun: Universal TUN/TAP device driver, 1.6
2 Time(s): using mwait in idle threads.
---------------------- Kernel End -------------------------
VPS vs. Dedicated - New Benchmark Results ....
View 1 Replies View RelatedWe're looking to bring in a T3 for our small startup hosting company and when we do traces from multiple location it always runs through a cox.net IP and it concerns me because I dont want our customers to believe they're being hosted on some kids cablemodem. What do you folks suggest, the IP is 64.19.96.5 to their outer router. Should it be a concern that we route through everyone through a cox.net IP?
View 10 Replies View RelatedThis is a follow-up to my original thread [url] regarding my client's experiences with HostWay.
I simply can't believe all of this, and I went through it.
The low points of the whole thing work out like this: In order to set up an SSL for my client's site, we needed a dedicated IP. If you do a traceroute on my client's URL, it resolves to someone else all together. Int he mean time, I tried to purchase an SSL through HostWay, and when they didn't respond in a week and a half, I e-mailed cancelling the order, and purchased a (thankfully) inexpensive SSL from GoDaddy. I got an e-mail back within hours from HW saying, literally, "We never processed your SSL order, so there's nothing to cancel. Let us know if there's anythig else we can do."
As I mentioned before, e-mail support seems to be handled off-shore, and it takes over a week for most answers. Phone support gets you, I found out, a service in Florida.
While the people I dealt with on the phone were always professional and polite, they literally could do almost nothing. I was told several times, "I have to e-mail someone in Chicago - no, I don't know who it is, all I have is an e-mail address."
Back to the SSL - seems HostWay already installed one on my client's site at some point - and it had nothing to do with my client. You could visit a secure version of the site, and it would tell you not to enter, as the cert didn't match the site.
My client and I both were on the phone with the Florida 800 number for hours at a time.
Average wait time to speak to someone was 30 minutes or so. I'm not carping about that part - but they were feeding us false information which was supposedly fed them from "Chicago." Specifically, I told them on the phone and via e-mail that the IP didn't resolve correctly, and that the old cert needed to be removed before a new one could go on (and only their SSL team can install certs, supposedly).
They told my client that the GoDaddy cert was causing them problems, and that it needed to be cancelled before they could install one of their GeoTrust certs. I nuked it - even though I knew better - and of course nothing was done. They lied to my client for several days, saying the new cert was installed (even though I knew it wasn't, and I told my client so, and showed them HW's tech was passing on false information).
This situation went on for almost two weeks. Finally, Monday night, my client got a supervisor based in British Columbia, Canada, who promised that he would walk "the tech admin" through fixing the problems that night. But that was only after my client threatened to pull his account.
Well, the IP is still screwed up, but they replaced the cert that night with one for which they charged my client an arm and a leg. The CC processing company is happy, so we let it ride, and they're now processing payments over the web.
If this is confusing, it's because I condensed many long days and nights into a few short paragraphs. Let's just say that HW didn't have their thinking caps on tight, because they committed to their preposterous stories to e-mails which we all received.
Later this year, at a conference to be held in Canada, a committee of nuclear power station operators will be discussing whether or not they should keep HW as the host of their site. Gee, I wonder what the consensus will be.
Quote:
MySQL Version 4.1.22-standard i686
Uptime = 0 days 0 hrs 4 min 15 sec
Avg. qps = 17
Total Questions = 4479
Threads Connected = 1
Warning: Server has not been running for at least 48hrs.
It may not be safe to use these recommendations
To find out more information on how each of these
runtime variables effects performance visit:
[url]
SLOW QUERIES
Current long_query_time = 10 sec.
You have 1 out of 4491 that take longer than 10 sec. to complete
The slow query log is NOT enabled.
Your long_query_time may be too high, I typically set this under 5 sec.
WORKER THREADS
Current thread_cache_size = 128
Current threads_cached = 6
Current threads_per_sec = 0
Historic threads_per_sec = 0
Your thread_cache_size is fine
MAX CONNECTIONS
Current max_connections = 2000
Current threads_connected = 1
Historic max_used_connections = 7
The number of used connections is 0% of the configured maximum.
You are using less than 10% of your configured max_connections.
Lowering max_connections could help to avoid an over-allocation of memory
See "MEMORY USAGE" section to make sure you are not over-allocating
MEMORY USAGE
Max Memory Ever Allocated : 96 M
Configured Max Per-thread Buffers : 10 G
Configured Max Global Buffers : 58 M
Configured Max Memory Limit : 10 G
Total System Memory : 3.95 G
Max memory limit exceeds 85% of total system memory
KEY BUFFER
Current MyISAM index space = 78 M
Current key_buffer_size = 16 M
Key cache miss rate is 1 : 735
Key buffer fill ratio = 8.00 %
Your key_buffer_size seems to be too high.
Perhaps you can use these resources elsewhere
QUERY CACHE
Query cache is enabled
Current query_cache_size = 32 M
Current query_cache_used = 4 M
Current query_cach_limit = 1 M
Current Query cache fill ratio = 14.83 %
Your query_cache_size seems to be too high.
Perhaps you can use these resources elsewhere
MySQL won't cache query results that are larger than query_cache_limit in size
SORT OPERATIONS
Current sort_buffer_size = 2 M
Current record/read_rnd_buffer_size = 256 K
Sort buffer seems to be fine
JOINS
Current join_buffer_size = 1.00 M
You have had 0 queries where a join could not use an index properly
Your joins seem to be using indexes properly
OPEN FILES LIMIT
Current open_files_limit = 10000 files
The open_files_limit should typically be set to at least 2x-3x
that of table_cache if you have heavy MyISAM usage.
Your open_files_limit value seems to be fine
TABLE CACHE
Current table_cache value = 1024 tables
You have a total of 721 tables
You have 93 open tables.
The table_cache value seems to be fine
TEMP TABLES
Current max_heap_table_size = 16 M
Current tmp_table_size = 32 M
Of 212 temp tables, 0% were created on disk
Effective in-memory tmp_table_size is limited to max_heap_table_size.
Created disk tmp tables ratio seems fine
TABLE SCANS
Current read_buffer_size = 1 M
Current table scan ratio = 17754 : 1
You have a high ratio of sequential access requests to SELECTs
You may benefit from raising read_buffer_size and/or improving your use of indexes.
TABLE LOCKING
Current Lock Wait ratio = 1 : 76
You may benefit from selective use of InnoDB.
If you have long running SELECT's against MyISAM tables and perform
frequent updates consider setting 'low_priority_updates=1'
how to make the changes in red? My server works good for awhile, but then gets REALLY REALLY slow.
I run the top command when memory usage seems to be running high on my server. I look at it and blink and have no real idea whether things are "okay" or not.
I apologize for the extreme basicness of this question. At the same I would love to have some kind of personal benchmark of "okayness" for this server so I can look at top results when things are dreadfully wrong and recognize it.
Based on these results would you say the server is holding up under traffic?
-----------------------------------
17:35:58 up 4 days, 2:26, 1 user, load average: 0.66, 0.57, 0.56
85 processes: 80 sleeping, 2 running, 3 zombie, 0 stopped
CPU states: cpu user nice system irq softirq iowait idle
total 5.4% 0.0% 1.3% 0.0% 0.0% 0.0% 93.3%
cpu00 6.2% 0.0% 1.4% 0.0% 0.2% 0.0% 92.2%
cpu01 4.8% 0.0% 1.0% 0.0% 0.0% 0.0% 94.2%
Mem: 4147916k av, 3420324k used, 727592k free, 0k shrd, 265360k buff
3128396k active, 91908k inactive
Swap: 2096440k av, 0k used, 2096440k free 2845408k cached
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
7359 mysql 15 0 94352 16M 3448 S 2.1 0.4 0:08 0 mysqld
9099 nobody 19 0 20256 14M 2096 R 1.3 0.3 0:00 0 httpd
1 root 15 0 1592 496 436 S 0.0 0.0 0:00 0 init
2 root RT 0 0 0 0 SW 0.0 0.0 0:00 0 migration/0
3 root 34 19 0 0 0 SWN 0.0 0.0 0:00 0 ksoftirqd/0
4 root RT 0 0 0 0 SW 0.0 0.0 0:00 1 migration/1
5 root 34 19 0 0 0 SWN 0.0 0.0 0:00 1 ksoftirqd/1
6 root 10 -5 0 0 0 SW< 0.0 0.0 0:00 0 events/0
7 root 10 -5 0 0 0 SW< 0.0 0.0 0:00 1 events/1
8 root 10 -5 0 0 0 SW< 0.0 0.0 0:00 1 khelper
9 root 13 -5 0 0 0 SW< 0.0 0.0 0:00 1 kthread
13 root 18 -5 0 0 0 SW< 0.0 0.0 0:00 0 kblockd/0
14 root 11 -5 0 0 0 SW< 0.0 0.0 0:00 1 kblockd/1
---------------
We run our company website on a VPS.
Now we do notice, that quite frequently, the connection times out or the server responds slowly. A friend of mine said the VPS could be the issue of this.
I ran a ping test today for several hours, sending one ping with 16 bytes with a timeout set to 3 seconds.
From 18000 pings sent (5 hours), 120 failed. Which comes to one failure in 150 pings, or one failure every 2.5 minutes.
Is this still an acceptable failure rate or do I have reason to contact our VPS provider? According to our own usage statictics, we are not using much of the server's capacities.
Is there any way to avoid getting false name lookups when trying to resolv inexistent domains ? apart from using another nameserver.
I'm sorry if it was posted earlier, tried searching but it didn't help as it gave me large results.
Code:
[root@removed ~]# ping hjkdji284kajgafhj87da778dfsd.com
PING hjkdji284kajgafhj87da778dfsd..com.insertdchere.com (xx.xxx.xxx.xx) 56(84) bytes of data.
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=0 ttl=61 time=1.00 ms
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=1 ttl=61 time=0.952 ms
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=2 ttl=61 time=1.34 ms
I just read Peer 1 financials -they got big this year!
Does anyone know how many actual customers they have? The financials say $74.36 Million... with 9,000 customers... humm... they must have more than that? Just curious.
I'm new to server administration/security/troubleshooting, so I have included a lot of info here hoping it will help.
This started because a Linux VPS with CentOS and Exim crashed after only 3000 emails were sent (of 30000) total
I ran a netstat and several times I get three separate ips with the only difference being the last two digits and the port number:
86.104.230.29:59009
86.104.117.45:18065
89.37.137.157:41593
As far as I can tell they are from Romania, and there are several connections.
I have posted a lot of information below, if someone can take a look and give some ideas, it would be very much appreciated.
netstat:
Code:
tcp 0 0 mydomain.com:http 86.104.117.98:34060 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.82:59022 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.219:52276 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.163:25383 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.154:20794 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.235:39094 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.127:61711 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.127:5748 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.37:63424 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.228:54121 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.226:39605 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.91:6446 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.10:54841 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.100:22842 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.118:32674 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.80:16559 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.64:47817 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.136:21718 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.246:37288 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.28:62119 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.190:4468 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.8:25247 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.100:35503 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.199:20896 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.237:saft SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.199:47952 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.118:60561 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.181:10844 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.125:50584 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.253:17855 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.10:25740 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.109:29528 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.62:47349 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.55:4614 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.226:22001 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.163:11790 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.44:8911 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.46:telnets SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.190:27377 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.181:34031 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.19:41722 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.100:57151 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.145:61402 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.53:52461 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.26:42463 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.217:35530 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.35:63414 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.154:56638 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.26:43972 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.172:6922 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.17:3683 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.210:2397 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.46:18754 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.244:4032 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.235:8602 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.82:39495 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.19:28848 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.163:47624 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.8:2683 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.55:43300 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.37:1664 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.118:36892 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.17:7317 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.109:56229 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.217:45257 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.73:15278 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.64:14076 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.116:14567 SYN_RECV
Hope there is a DNS expert about that can make sense of what I observe and give an unbiased opinion.
We are currenlty evaluating hosted DNS providers. Anycast DNS seems like a great feature to have and we want fail over too. Narrowed down a list of possible suppliers: DNS Made Easy, Netriplex and Dynect.
After reading up on some blogs 1 & 2 mainly, we setup a Pingdom test to evaluate our three candidates.
For DME I used their own site URL for testing, Netriplex and Dynect gave us dedicated test accounts.
The average response times roughly follow the prices, DME is slowest, Netriplex next and Dynect is the winner. I have detailed logs in anyone is interested (in CSV).
Now for the unexpected results. All 3 providers give very long response times a few times a day - sometimes as long as 5 or 10 seconds. Now and again we see a timeout - i.e. a response of over 15 seconds.
We cross checked by running a testing our current non-anycast Rackspace DNS - similar outliers are present too.
Pingdom tech support think these outliers could be due to peering issues on the internet.
I would expect anycast DNS to be much more robust and to give decent response times even if there are localised networking issues.
So our outliers are either down to the way Pingdom does the testing, or just a 'feature' of the way DNS works.
Anyone with any bright ideas on how to explain this?
I've been fiddling with Plesk to get HTTPS to work for [URL] .... Unfortunately I haven't had any successes at forcing HTTPS, all result in a 'to many redirects' message.
The certificate is already activated and can be verified trough; [URL] ....
Code:
proxy_error_log:2015/05/16 16:35:00 [crit] 21266#0: *2336 SSL_do_handshake() failed (SSL: error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback) while SSL handshaking, client: 64.41.200.106, server: 151.80.117.38:443
proxy_error_log:2015/05/16 16:36:37 [crit] 21266#0: *2616 SSL_do_handshake() failed (SSL: error:14094085:SSL
[Code] .....
I have the follow errors at (one) of my plesk panel:
at Applications:
Search results could not be loaded at the moment. Retry Click to expand...
All my sites on both my hosting accounts are infected with an iframe.
At the end of the index.html files the malicious code just appeared...suddenly 3 weeks ago.
The host blamed Joomla so I took the appropriate steps:
Upgraded my Joomla to the latest version, changed the whole account username and password, changed the configuration and template to unwriteable.
It stopped the injection for a few days but then it came back.
I would also like to add that 2 other sites on my account, one simple index.html file and an old website I have that is totally HTML with nothing to do with Joomla also got infected.
The iframe also infected a Drupal install I did as a test.
So according to these fact is this a Hosting Company not taking responsibility or can a Joomla site infected spread to other normal HTML sites and different CMS's on the server?
This situation is ruinning me and I strongly suspect it's a Hosting problem and not Joomla.
Any expert opinions from true professionals would be appreciated because if I can prove that it's not a Joomla issue I might take legal action against the hosting company since this has cost me dozens of hours of work and several hundred dollars of lost revenue.
I am attaching the iframe exploit. It installs itself on every index file...in every folder - components, mambots, ect..additionally it attaches itself on any and every kind of addon that has an index.html file.
After last night's attempt to upgrade one of our old plesk servers (10.0.1), on RHEL 5.5, we are left with unfunctional control panel.
Following the KB [URL] ...., we see:
1) no /usr/local/psa/version file exists currently.
2) mysql -uadmin -p`cat /etc/psa/.psa.shadow` -D psa -e 'select * from upgrade_history order by upgrade_date desc limit 1'
+---------------------+--------------------------------+------------+
| upgrade_date | version_info | db_version |
+---------------------+--------------------------------+------------+
| 2010-12-01 10:52:30 | 10.0.1 RedHat el5 109101029.17 | 01090 |
+---------------------+--------------------------------+------------+
as you see the plesk was OLD. No line for the last night's upgrade, though in here.
3) but: rpm -q psa
psa-12.0.18-rhel5.build1200140606.15
So, the installation procedure finished partially, installing net packages, but not really updating all info.
Comparison of the MySQL scheme for DB psa with another server with the new installation shows that some minimal differences in some tables and a couple of missing tables. So, it looks like it _almost_ succeeded.
Comparison of the RPMs installed on the two servers, shows some differences in installed packages and versions. For example, there are 2 versions of psa-backup-manager and 2 versions of psa-migration-manager on the "malfunctioning" machine.
Further runs of the autoinstaller does not work, since it seems to think that everything is fully installed/updated. How to proceed from this point. Control panel does not work...
We've looked through the installation log files and Wonder if there is some log file that we are missing - where shold we look for messages in case of a failed installation?
To automate some tasks for some projects I'm working on, I need to be able to automatically create or delete ftp-users.
Creating and listing ftp-accounts is working great, but when it comes to deleting them I run into an internal server error. Before my script gets the response it's waiting for, the script crashes.
- When live watching the Apache error-log with 'tail -f', the terminal-session is exited with 'Killed (core dumped)'
- Apache error-log shows:
Code:
(104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server, referer: http://example.com/ftp.php?action=delete
Premature end of script headers: ftp.php, referer: http://example.com/ftp.php?action=delete
- Webbrowser shows default '500 Internal Server Error'
I have checked and changed time-out settings, but it didn't work. Error occurs a few seconds after executing, while the timeouts are set to 60 to 90 seconds.
Packet send to Plesk:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.6.0">
<ftp-user>
[Code].....