FTP and Load BIG PROBLEM

Guy · Mar 31, 2010

Hello,

I hope it belongs to this sub-forum. If not, please move it.

Today I noticed that my load average went to high, I checked the '/var/log/massages' log and found out this log (every second there attached more thirty lines to the log file with this):

Mar 31 23:04:00 server proftpd[15696]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15696]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'webapps'
Mar 31 23:04:00 server proftpd[15695]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'avahi'
Mar 31 23:04:00 server proftpd[15697]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15698]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15699]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15698]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'sabayon'
Mar 31 23:04:00 server proftpd[15700]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15700]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'sabayon'
Mar 31 23:04:00 server proftpd[15699]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'haldaemon'
Mar 31 23:04:00 server proftpd[15701]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15702]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15701]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'webapps'
Mar 31 23:04:00 server proftpd[15704]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15703]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15703]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'sabayon'
Mar 31 23:04:00 server proftpd[15705]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15704]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'avahi'
Mar 31 23:04:00 server proftpd[15705]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'sabayon'
Mar 31 23:04:00 server proftpd[15706]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15707]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15708]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15708]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'sabayon'
Mar 31 23:04:00 server proftpd[15709]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15711]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15709]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'avahi'
Mar 31 23:04:00 server proftpd[15710]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15710]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'nobody'
Mar 31 23:04:00 server proftpd[15712]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15711]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'haldaemon'
Mar 31 23:04:00 server proftpd[15713]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15713]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'nobody'
Mar 31 23:04:00 server proftpd[15714]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15706]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'webapps'
Mar 31 23:04:00 server proftpd[15715]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15716]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15716]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'haldaemon'
Mar 31 23:04:00 server proftpd[15718]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15720]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15719]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15714]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'avahi'
Mar 31 23:04:00 server proftpd[15715]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'nobody'
Mar 31 23:04:00 server proftpd[15719]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'haldaemon'
Mar 31 23:04:00 server proftpd[15717]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15717]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'nobody'
Mar 31 23:04:00 server proftpd[15721]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15721]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'webapps'
Mar 31 23:04:00 server proftpd[15722]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:00 server proftpd[15722]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'nobody'
Mar 31 23:04:00 server proftpd[15723]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:01 server proftpd[15724]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:01 server proftpd[15726]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:01 server proftpd[15725]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:01 server proftpd[15727]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:01 server proftpd[15727]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'webapps'
Mar 31 23:04:01 server proftpd[15724]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'haldaemon'
Mar 31 23:04:01 server proftpd[15725]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'nobody'
Mar 31 23:04:01 server proftpd[15728]: server.mydomain.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 31 23:04:01 server proftpd[15726]: server.mydomain.com (127.0.0.1[127.0.0.1]) - no such user 'avahi'

Also, I noticed that my FTP server takes a lot of CPU and RAM. Pay attention that the FTP server works fine, I mean, I can connect to it without any problems.

Server Details:
Kernel: 2.6.18-164.el5

CentOS release 5.4 (Final)

Apache: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 DAV/2.
PHP: PHP 5.2.11

I hope you will figure it out. Sorry for my bad English,

Have a wonderful day,
Guy.

SeLLeRoNe · Apr 1, 2010

127.0.0.1 is present on log or you changed it? seems that you trying several local connection with wrong data?

Guy · Apr 1, 2010

I have only changes the 'hostname' to server.mydomain.com.

The 127.0.0.1 is present on the log.

Have any idea?

SeLLeRoNe · Apr 1, 2010

honestly i dont know, and is strange that you got so many localhost connection, have you installed any cron that have to upload something via ftp?

floyd · Apr 5, 2010

I am guessing that someone has uploaded a script to your server somehow which is now trying ftp usernames.

FTP and Load BIG PROBLEM

Guy

New member

SeLLeRoNe

Super Moderator

Guy

New member

SeLLeRoNe

Super Moderator

floyd

Verified User