Traffic Spikes And Perl Processes - Security Issue
Oct 28, 2009
I admit I know nothing when it comes to servers. Yet I do have a root server and I noticed that there are some days when the traffic spikes up to 20 times the average and when I login via ssh I see many perl processes. I don't know what those are since I don't use any perl scripts on my web site. Is this a potential or maybe an ongoing security issue?
I am currently moving from my current dedicated servers because they simply cannot handle the load. I have a site which frequently makes it onto radio, digg and other similar sites.
I need a dedicated server that can take a beating from Digg and offline Media. For most of the month the server load is really low, the site hardly uses up anything. However, when it hits those sites, it suffers.
I am OK with using Shell, just basic tars/logs/sqldumping/httpd.conf editing/rebooting etc.. anything beyond that like installing and configuring software I cant really do.
I guess I am looking at a dedicated option (linux based) with a host that'll setup software/modules modules for me when I ask, but doesn't really need to hold my hand all the time.
How are ThePlanet.com's servers? Do they manage the servers?
ive been trying to install it for about 3 hours and ive finally got it working. now, how do i configure it to be nice and secure?
first thing is that i want to restrict which paths people can use in scripts. my site needs to access any paths but site users can only access their own directories. i want the exact same thing as in this thread but with perl instead of php
how do i block certain functions and which ones do i block? i heard perl and php are very similar so im guessing i want to block similar functions to the ones listed here
A client hacked another client of mine using the following Perl code:
#!/usr/bin/perl
symlink ("/home/john/public_html/config.php","/home/carole/public_html/forums/includes/config.php"); After the hacker got the DB name, username and password it's very easy to change anything in the forum using PHP.
How can I better monitor and trace down I/O spikes? I've noticed the wait hit 60% every now and again... could someone be running a rapidleech script and if so, how can i find it?
I haven't really done anything new other then added another forum on the server (Invision).
Basically the problem is the random spikes I get. The main forum that is running on the server haven't really increased in terms of sim connections. Its usually around 180 - 220 during peak times.
On TOP there is usually around 250 tasks. When this thing started happening it would spikes to 500+ tasks which totally kills the server. Its pretty random also. Sometimes it'll go fine for a few hours and then suddenly climbed slowly up and then the server dies. For now its going to crash whenever I let apache run for an hour or so.
The only way I can restore is to restart apache. It has come to the point where I've had to put in restart apache in the cronjob list. Restart it every few minutes since I'm not always here watching over it. This is obviously a shortterm solution to keep the forum up while I troubleshoot this.
We've had a VPS for just over a month now. I am not going to mention the host by name (yet) but they advertise here and other people here reported liking them.
Sadly it's not my experience and I regret my purchase.
Every morning for the past few weeks, we get load spikes every 30 minutes that make our site unusable for a minute (on our VPS, any load over 1.0 is sluggish, over 2.0 is virtually unusable, over 3 is unresponsive)
Here's a series of days as an example: [url]
The worst part about this is the host insists 1. either it's not happening or 2. they can't find it
I know it's happening because when I try to load a page on the half-hour, it takes over 13 seconds (less than 1 second normally). And it's fairly obvious it's someone doing a cron job with some nasty downloading, uploading, or maybe a massive mysql update.
Someone tell me what to tell them because this is driving me out of my mind. The load is NOT being caused by ourselves, I've made sure all our cron jobs don't happen on the exact half hour and we get lots of traffic later in the day without loads.
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
I just recently switched to using fcgid with cPanel and was wondering how I can go about seeing what is actually running under each process. Before when I was running PHP as CGI I could do psauxwe|grep PID and see all the environmental variables along with the path. I'm not able to do that any longer with fcgid. Is there anyway to get this info now?
Well one of my servers has been under a DDoS attack for a while and I've been doing things to keep it down but there is a suspicious process that keeps running and I am guessing that is whats keeping the server load up because when I stop apache the load goes down but not for long.
I've found I've got tons of processes "sleeping" on my server, how do I view what processes are sleeping? Is there a command I can run that lists all sleeping (only) processes?
"We do not allow programs to run continually in the background. This is to minimize system resources used and operational maintenance needed. We do not allow any chat or topsite programs on our servers other than the ones we pre-install for our clients to use. IRC: We currently DO NOT allow IRC or IRC bots to be operated on our network."
I thought the whole point of using a VPS was so you could run a continuous application (like a chat/game/etc server)? Why are so many VPS services against IRC (the chat server I use is not IRC based, but I just think its wierd so many prohibit IRC)
I'm having a problem with one user account, every 5-10 minutes a spamd process of this user gets locked using 60-90% cpu and never ends. If I don't kill the process another one does the same and they all get locked causing very high loads
I reinstalled exim but it did nothing
The problem persisted even when this user's account was suspended
Today I took the leap and switched to suPHP, rather than the Apache module. This is just what suited us best for hosting our own websites, keeping them more isolated from eachother bar a certain shared directory.
All is great, apart from I'm now noticing Zombie processes all of the time. These processes do seem to go away though, if I watch top the amount of Zombie processes will go up and down between 0 and 10.
Are these processes a problem, considering they do leave after a while? I've read up about Zombie processes and it would seem that as long as they are closing at some point, instead of hanging around, then that's fine. Is this supposed to happen in my setup?
how can i discover hidden processes running? Already running rkhunter, chrootkit. [root@kenny ~]# ps auxfww USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND Segmentation fault [root@kenny ~]#
This just appen when i use flag "f = --full". Some running process causing this.
I recently modified my loadavg script to store in a database the output of a top command if there's ever server loads of over 1. Overnight I've had 12 such times logged to a database.
Upon inspecting things (I was expected there is a recurring problem), the top command reveals that there are always three queries running together which take over 30 seconds each, and take up ~9% of memory each:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 26119 nobody 25 0 73492 38m 4792 S 0 8.5 0:30.00 httpd 7313 nobody 25 0 76716 42m 4992 S 0 9.5 0:29.99 httpd 14212 nobody 19 0 70688 39m 4844 S 0 8.8 0:30.03 httpd
Is there a command that will tell me exactly what these processes are? Like in WHM's "CPU/Memory/MySQL Usage" whereby it says what account these httpd processes are coming from, and the actual page they are coming from as well?
If I could log these details (i.e. account and page these are coming from) along with the output of the top command, I can hopefully troubleshoot where this problem is coming from.
My server has been crashing quite alot lately, it does have some high traffic sites on there but it has never really been this bad before. Today i noticed these in cpanel, what are they and is there anyway I can control them?
i am facing slight problem with one of my VPSes. It had happened earlier also but had got resolved automatically.
Please see this screenshot: [url]
i know that the server load is not that great to cause this much SWAP usage. i think this is because of the processes not getting killed.
UPDATE: here is the screenshot of my other server with the same provider. which is not really overloaded but i think is facing the same problem of processes not getting killed [url]
so here is a simple question that i just can't seem to figure out.. when i run the command top or ps -auxw.. they show the httpd processes as the command httpd or /usr/sbin/httpd, but how do i know what file that is? is there anyway to find out what file that is actually getting executed or served?