my directadmin is hacked, IMMEDIATE help please

[mr-cracker]

Hi all,
Before everything, i open "/var/log/directadmin/error.log"
and it gives lots of this messages
2009:10:17-13:22:03: FORK ERROR - bad ?? Rogue process? Kill me?
2009:10:17-13:22:03: FORK ERROR - bad ?? Rogue process? Kill me?
2009:10:17-13:22:03: FORK ERROR - bad ?? Rogue process? Kill me?
2009:10:17-13:22:03: FORK ERROR - bad ?? Rogue process? Kill me?
2009:10:17-13:22:03: FORK ERROR - bad ?? Rogue process? Kill me?

i'm under attack as i think, so please what shall i stop now to prevent losing data,


What shall i do now, i'm not able to make database back up, it gives either out of memory or mysql gone away or connect to mysql lost....


I don't have good info on such attack, is there any opportunity that there is a shell on my server?? as by reading this
http://www.directadmin.com/forum/showthread.php?t=22201&highlight=Rogue+process


if i re-build my server, and use cpanel instead of this **** directadmin, will that fix the problem??

i have some problems in recursive lookups, does that affect??

regards

 

[nobaloney]

Note that I'm replying to this thread with limited information; I've no idea how DirectAdmin could be affected by a rogue process. Hopefully DirectAdmin staff will look at this thread.

You can (and perhaps should) contact DirectAdmin Support.

Certainly if you rebuild your server with cPanel you won't be affected by any DirectAdmin specific issues, but no one has identified this yet as a DirectAdmin specific issue, so I'd be willing to suggest that such an action is probably premature.

I'm not sure what you mean by problems in recursive lookups, but you should NOT run recursive DNS on the same DNS server you use for authoritative lookups for domains you host.

If what you mean is you can't do recursive DNS lookup with your own nameserver, that's proper behavior; you should get the IP addresses of two recursive nameservers from your upstream, and put their IP#s into /etc/resolv.conf.

Jeff

 

[mr-cracker]

Hi there, i just checked resolv.conf and i see that the 2 nameservers are not the same as my ips, is that the reason i'm getting that error "recursive error"
http://www.ukimagehost.com/uploads/7be49d2d3e.jpg

but when i tried to re-edit it, it said fork: Cannot allocate memory
which the error i'm getting when trying many things, is this a real attack and how to over come please

i decided to switch to cpanel before this problem,
regards and thanx

 

[tillo]

"fork: Cannot allocate memory" means that linux can't find any free memory (RAM and swap) to copy a program to, which automatically means that you are out of RAM.
This may be caused by (in order of probability):
1) specific software memory leak (programming bug)
2) wrong amount of memory (you just haven't got enough memory for your system setup and load)
3) hardware failure
4) a DoS attack caused from outside the system through a specific software vulnerability or internally by an attacker that already has got access to your system

Case 4) is much less probable.

How to find which one is the case: just run "top" and see for yourself which program is eating up memory. If it says "fork: Cannot allocate memory" itself, just retry until it starts.

If there is free memory or if the memory size is not the real one, that's case 3).
If the memory is full but no program seems to use an exagerated amount of it, that's case 2).
If there is a program using most memory, and more than it should, that's case 1) or 4).

 

[DirectAdmin Support]

Hello,

I've checked over the forking code and that error is output if the fork() command returns a -1 value.

As per the man page for fork, these are the only 2 errors that would cause fork to return a -1 value.

ERRORS
       EAGAIN fork cannot allocate sufficient memory to copy the parent's page tables and allocate a task structure for the child.

       ENOMEM fork failed to allocate the necessary kernel structures because memory is tight.

So my guess would be you're out of ram. Run "top" to see how much free ram you've got. I do not believe it's a hacker based on this information.

John

 

[mr-cracker]

Hi all,
thank you very much for your answer, i tried the following yesterday...

installed ELS
http://www.directadmin.com/forum/showthread.php?t=17070&highlight=els
and csf
http://www.directadmin.com/forum/showthread.php?t=29807&highlight=firewall

but no changes, my host recomended me to shut the server to avoid losing bandwidth, so i shutted it down

now i started it again, it working 100% correctly but i don't know what will happen


also by running
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
i found an ip taking 250-300, is that an attack or what?? i did as it was recommended here
http://hostechs.com/2008/09/dropping-a-ddos-attack-using-ttl-and-length-in-iptables/


i will wait for some time, if this happens again then will reply here

thank you very much all
regards

 

[mr-cracker]

i thin i replied here?? why its now showing now?? did someone deleted my post??

Yes i think i'm out of memory but i think there is either a problem or attack

running top, i got this

top - 15:04:55 up 2:42, 1 user, load average: 79.21, 51.87, 41.87
Tasks: 354 total, 37 running, 316 sleeping, 0 stopped, 1 zombie
Cpu(s): 83.7%us, 5.5%sy, 0.0%ni, 10.8%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 2097152k total, 1493452k used, 603700k free, 0k buffers
Swap: 0k total, 0k used, 0k free, 0k cached


PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
13323 mysql 10 -5 482m 68m 3028 S 19 3.3 0:08.96 mysqld
12279 mysql 10 -5 482m 68m 3028 D 18 3.3 0:09.81 mysqld
13314 mysql 11 -5 482m 68m 3028 S 18 3.3 0:09.84 mysqld
13329 mysql 11 -5 482m 68m 3028 D 18 3.3 0:08.03 mysqld
15430 mysql 11 -5 482m 68m 3028 D 18 3.3 0:00.59 mysqld
15417 mysql 10 -5 482m 68m 3028 S 18 3.3 0:00.58 mysqld
15409 mysql 11 -5 482m 68m 3028 D 12 3.3 0:00.58 mysqld
12261 mysql 11 -5 482m 68m 3028 S 11 3.3 0:06.28 mysqld
12271 mysql 11 -5 482m 68m 3028 D 10 3.3 0:08.61 mysqld
15410 mysql 10 -5 482m 68m 3028 S 10 3.3 0:00.59 mysqld
12259 mysql 11 -5 482m 68m 3028 S 10 3.3 0:07.17 mysqld
12286 mysql 11 -5 482m 68m 3028 S 10 3.3 0:05.99 mysqld
13348 mysql 11 -5 482m 68m 3028 D 10 3.3 0:10.13 mysqld
12267 mysql 10 -5 482m 68m 3028 S 9 3.3 0:07.17 mysqld
13318 mysql 12 -5 482m 68m 3028 D 9 3.3 0:06.86 mysqld
13320 mysql 11 -5 482m 68m 3028 D 9 3.3 0:09.55 mysqld
12275 mysql 11 -5 482m 68m 3028 D 9 3.3 0:10.40 mysqld
13312 mysql 11 -5 482m 68m 3028 D 9 3.3 0:05.09 mysqld
13350 mysql 11 -5 482m 68m 3028 R 9 3.3 0:10.41 mysqld
13385 mysql 11 -5 482m 68m 3028 D 9 3.3 0:05.64 mysqld
15408 mysql 11 -5 482m 68m 3028 D 9 3.3 0:00.29 mysqld
15419 mysql 11 -5 482m 68m 3028 S 9 3.3 0:00.58 mysqld
15427 mysql 11 -5 482m 68m 3028 R 9 3.3 0:00.29 mysqld
13313 mysql 11 -5 482m 68m 3028 R 8 3.3 0:08.32 mysqld
12266 mysql 11 -5 482m 68m 3028 R 7 3.3 0:07.07 mysqld
12281 mysql 11 -5 482m 68m 3028 R 7 3.3 0:06.77 mysqld
13327 mysql 11 -5 482m 68m 3028 R 6 3.3 0:07.35 mysqld
13334 mysql 11 -5 482m 68m 3028 D 5 3.3 0:07.15 mysqld
12276 mysql 10 -5 482m 68m 3028 S 3 3.3 0:06.85 mysqld
12274 mysql 11 -5 482m 68m 3028 S 2 3.3 0:06.88 mysqld
13386 mysql 11 -5 482m 68m 3028 D 2 3.3 0:04.79 mysqld
3498 apache 15 0 27420 14m 2964 S 2 0.7 0:03.47 httpd
3958 apache 16 0 24736 12m 3352 S 2 0.6 0:03.13 httpd
7988 apache 16 0 26748 13m 2940 S 2 0.7 0:02.04 httpd

mysql is taking all the cpu usage, what can i do now??
vbulletin gives database error if there is no sufficient memory??

what can i do now?? any ideas please

 

[mr-cracker]

there are lots of connections to mysql starting and taking lots of cpu?? isn't this attack??

300-400 instant tasks, no sense??

 

[mr-cracker]

sorry for replying so open, but i want to provide as much info as possible

i blocked the ip which was suspected using
iptables -I INPUT -s IP_ADDRESS_HERE -j DROP
at once, all attacks we stop, (although some connection starts for 1-2 seconds taking around 30% of cpu usage) but my website is running as past now

but i noted after restarting the server, and excuting
/sbin/iptables -L -n
the ip is no longer blocked?? what is wrong


need some guide please
regards

 

[nobaloney]

i thin i replied here?? why its now showing now?? did someone deleted my post??

For some reason the forum's anti-spam function didn't like your post and moderated it. I've approved. the post.

Jeff

 

[nobaloney]

but i noted after restarting the server, and excuting
/sbin/iptables -L -n
the ip is no longer blocked?? what is wrong

When you drop an ip# from the command line it will stay dropped only until the firewall is restarted. Restarting your system of course restarts the firewall.

Put your line:

iptables -I INPUT -s IP_ADDRESS_HERE -j DROP

at the bottom of your rc.local file to make sure the drop will occur every time you restart your computer.

Or drop it using whatever firewall you're using. Firewalls generally maintain state after a reboot.

It appears you're being attacked by someone; perhaps someone who doesn't like you. Since you've posted neither your site information nor the IP# that's trying to attack you it's not possible for us to help you figure out the reason.

Which is fine with us of course .

Jeff

 

[mr-cracker]

this is the ip of the attacker, if u counter any problems from this ip, do not hesitate to block it
93.190.138.226

can you please give me full path to that rc.local please,
about my website, sorry but i really prefer no to give any link,
thank u very much

 

[nobaloney]

On my CentOS servers it's at /etc/rc.d/rc.local with a link at /etc/rc.local.

On your server it could be elsewhere.

As root, try:

# locate rc.local

Jeff