Server exploit? High load

patrickkasie · Monday at 3:00 AM

Dear DirectAdmin forum,

Since 2 weeks, we are experiencing high loads on 2 of our VPS'es. Initially I thought it had something to do with 1 of the websites on it being complex and the server just had trouble serving everyone their content. But it looks like it's an exploit judging it's happening on 2 seperate servers with similar IP addresses connecting with the servers. I find it particularly difficult to determine this with 100% certainty. This is what I get from DirectAdmin:

Code:

Warning: The system load average is 10.1
24-6-2024, 10:48

This is an automated message notifying you that the 5 minute load average on your system is 10.1.
This has exceeded the 10 threshold.

One Minute      - 15.49
Five Minutes    - 10.1
Fifteen Minutes - 8.13

top - 10:48:38 up  1:25,  2 users,  load average: 15.49, 10.10, 8.13
Tasks: 297 total,  11 running, 286 sleeping,   0 stopped,   0 zombie
%Cpu(s): 73.9 us, 25.0 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  1.1 si,  0.0 st
KiB Mem :  8008420 total,   516024 free,  5799160 used,  1693236 buff/cache
KiB Swap:  1048572 total,   693756 free,   354816 used.  1895160 avail Mem 

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
16593 www774    20   0  508848 142964   7972 R  38.1  1.8   1:41.53 php-fpm: pool www774
17716 tennisv+  20   0  365576  98792   7520 R  38.1  1.2   0:29.65 php-fpm: pool tennisvere
18229 www774    20   0  560092 199408   5400 R  38.1  2.5   0:19.14 php-fpm: pool www774
18259 www774    20   0  508892 149668   5408 R  33.3  1.9   0:18.26 php-fpm: pool www774
14184 www774    20   0  514480 148856   7976 R  28.6  1.9   4:03.65 php-fpm: pool www774
18237 www774    20   0  526300 167540   5404 R  28.6  2.1   0:16.92 php-fpm: pool www774
 1157 mysql     20   0 2849752 715964   5252 S  23.8  8.9  15:59.74 /usr/sbin/mysqld
18324 tennisv+  20   0  369676 101816   7296 R  23.8  1.3   0:10.56 php-fpm: pool tennisvere
17317 www774    20   0  576440 211008   7976 S  19.0  2.6   0:55.94 php-fpm: pool www774
18233 www774    20   0  525276 165428   5404 R  19.0  2.1   0:19.08 php-fpm: pool www774
18261 www774    20   0  520732 161760   5420 R  19.0  2.0   0:17.47 php-fpm: pool www774
15994 www774    20   0  568108 202276   8096 R  14.3  2.5   2:25.24 php-fpm: pool www774
18596 root      20   0   58556   2268   1488 R   9.5  0.0   0:00.03 /usr/bin/top -c -b -n 1
 1621 apache    20   0 3214344  31848   3900 S   4.8  0.4   0:19.44 /usr/sbin/httpd -DFOREGROUND
    1 root      20   0  125580   2476   1448 S   0.0  0.0   0:01.75 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
    2 root      20   0       0      0      0 S   0.0  0.0   0:00.00 [kthreadd]
    4 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 [kworker/0:0H]
    6 root      20   0       0      0      0 S   0.0  0.0   0:00.66 [ksoftirqd/0]
    7 root      rt   0       0      0      0 S   0.0  0.0   0:00.06 [migration/0]
    8 root      20   0       0      0      0 S   0.0  0.0   0:00.00 [rcu_bh]
    9 root      20   0       0      0      0 S   0.0  0.0   0:12.25 [rcu_sched]
   10 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 [lru-add-drain]
   11 root      rt   0       0      0      0 S   0.0  0.0   0:00.02 [watchdog/0]
I/O Information:
Total DISK READ :       0.00 B/s | Total DISK WRITE :      18.32 M/s
Actual DISK READ:       0.00 B/s | Actual DISK WRITE:      21.54 M/s
  TID  PRIO  USER     DISK READ  DISK WRITE  SWAPIN      IO    COMMAND
 1255 be/4 mysql       0.00 B/s   18.27 M/s  0.00 %  9.59 % mysqld
 1591 be/4 mysql       0.00 B/s   16.02 K/s  0.00 %  4.20 % mysqld
 3031 be/4 mysql       0.00 B/s    0.00 B/s  0.00 %  0.00 % mysqld
    1 be/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % systemd --switched-root --system --deserialize 22
    2 be/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [kthreadd]
 2051 be/4 apache      0.00 B/s    0.00 B/s  0.00 %  0.00 % httpd -DFOREGROUND
    4 be/0 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [kworker/0:0H]
 2053 be/4 apache      0.00 B/s    0.00 B/s  0.00 %  0.00 % httpd -DFOREGROUND
    6 be/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [ksoftirqd/0]
    7 rt/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [migration/0]
    8 be/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [rcu_bh]
    9 be/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [rcu_sched]
   10 be/0 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [lru-add-drain]
   11 rt/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [watchdog/0]
   12 rt/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [watchdog/1]
   13 rt/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [migration/1]
   14 be/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [ksoftirqd/1]
 2063 be/4 apache      0.00 B/s    0.00 B/s  0.00 %  0.00 % httpd -DFOREGROUND
   16 be/0 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [kworker/1:0H]
   17 rt/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [watchdog/2]
   18 rt/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [migration/2]
   19 be/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [ksoftirqd/2]
 2068 be/4 apache      0.00 B/s    0.00 B/s  0.00 %  0.00 % httpd -DFOREGROUND
   21 be/0 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [kworker/2:0H]
   22 rt/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [watchdog/3]
   23 rt/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [migration/3]
   24 be/4 root        0.00 B/s    0.00 B/s  0.00 %  0.00 % [ksoftirqd/3]

Connection counts:
      1 
      1 139.59.35.248
      1 43.134.34.133
      1 46.145.21.60
      1 52.167.144.20
      1 52.98.166.85
      1 71.6.134.233
      2 188.166.112.5
      2 77.173.161.57
      2 77.63.121.205
      3 77.249.13.28
      3 77.63.4.142
      4 3.224.220.101
      4 77.174.220.157
      4 77.60.131.188
      6 86.80.42.175
      9 23.22.35.162
     12 2a02

IP '2a02' currently has '12' connections

Connection info for '2a02':
tcp6       0      0 2a01:7c8:aab8:aa::1:143 2a02:a473:c034:1::50159 ESTABLISHED
tcp6       0      0 2a01:7c8:aab8:aa::1:993 2a02:a473:c034:1::50234 ESTABLISHED
tcp6       0      0 2a01:7c8:aab8:aa::1:143 2a02:a473:c034:1::50155 ESTABLISHED
tcp6       0      0 2a01:7c8:aab8:aa::1:143 2a02:a473:c034:1::50151 ESTABLISHED
tcp6       0      0 2a01:7c8:aab8:aa::1:143 2a02:a473:c034:1::50152 ESTABLISHED
tcp6       0      0 2a01:7c8:aab8:aa::1:143 2a02:a473:c034:1::50157 ESTABLISHED
tcp6       0      0 2a01:7c8:aab8:aa::1:143 2a02:a473:c034:1::50153 ESTABLISHED
tcp6       0      0 2a01:7c8:aab8:aa::1:143 2a02:a473:c034:1::50150 ESTABLISHED
tcp6       0      0 2a01:7c8:aab8:aa::1:993 2a02:a473:c034:1::50154 ESTABLISHED
tcp6       0      0 2a01:7c8:aab8:aa::1:993 2a02:a473:c034:1::50236 ESTABLISHED
tcp6       0      0 2a01:7c8:aab8:aa::1:993 2a02:a473:c034:1::50148 ESTABLISHED
tcp6       0      0 2a01:7c8:aab8:aa::1:143 2a02:a473:c034:1::50156 ESTABLISHED

Top Memory Usage:
mysql     1157 18.6  8.9 2849752 715968 ?      Ssl  09:22  16:00 /usr/sbin/mysqld
www774   18229 15.3  2.7 585824 219712 ?       R    10:46   0:20 php-fpm: pool www774
www774   15994 15.8  2.5 570668 204324 ?       R    10:33   2:25 php-fpm: pool www774
www774   17332 11.5  2.4 564120 198224 ?       R    10:40   0:54 php-fpm: pool www774
www774   17317 11.6  2.4 561036 195604 ?       S    10:40   0:55 php-fpm: pool www774
www774   12074 15.0  2.4 559020 193704 ?       R    10:10   5:44 php-fpm: pool www774
www774   18235 14.4  2.2 545128 179160 ?       S    10:46   0:18 php-fpm: pool www774
www774   18237 13.6  2.1 531420 170640 ?       R    10:46   0:17 php-fpm: pool www774
www774   15995 15.9  2.1 537520 170956 ?       R    10:33   2:26 php-fpm: pool www774
www774   18261 14.7  2.0 523292 164076 ?       R    10:46   0:18 php-fpm: pool www774

Virtual Memory Info:
procs -----------------------memory---------------------- ---swap-- -----io---- -system-- --------cpu-------- -----timestamp-----
 r  b         swpd         free         buff        cache   si   so    bi    bo   in   cs  us  sy  id  wa  st                CEST
15  0       354816       533772            0      1698964   32   48   587  2473 1044  985  59  21  19   1   0 2024-06-24 10:48:40
14  2       354816       519664            0      1698888    0    0     0 12588 4373 1957  72  28   0   0   0 2024-06-24 10:48:41
14  0       354816       588408            0      1698888    0    0     0  9653 4233 2458  74  26   0   0   0 2024-06-24 10:48:42

Current MySQL Queries
1    system user        NULL    Daemon    NULL    InnoDB purge worker    NULL    0.000
2    system user        NULL    Daemon    NULL    InnoDB purge worker    NULL    0.000
3    system user        NULL    Daemon    NULL    InnoDB purge coordinator    NULL    0.000
4    system user        NULL    Daemon    NULL    InnoDB purge worker    NULL    0.000
5    system user        NULL    Daemon    NULL    InnoDB shutdown handler    NULL    0.000
8583    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8585    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8586    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8588    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8589    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8591    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8592    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8593    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8594    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8595    www774_wp    localhost    www774_wp    Query    0    Commit    UPDATE `wprubo18_options` SET `option_value` = 'a:2:{s:7:\\"timeout\\";i:1719269323;s:5:\\"value\\";s:71:\\"{\\"success\\":true,\\"license\\":\\"valid\\",\\"expires\\":\\"01.01.2030\\",\\"features\\":[]}\\";}' WHERE `option_name` = '_elementor_pro_license_v2_data'    0.000
8596    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8597    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8598    www774_wp    localhost    www774_wp    Sleep    0        NULL    0.000
8599    da_admin    localhost    NULL    Query    0    Init    SHOW FULL PROCESSLIST    0.000


================================
Automated Message Generated by DirectAdmin 1.664

While this just happens to be a WP website, the following website and server is not from a WP server but has a similar IP range connecting to it:

Code:

Warning: The system load average is 16.58
24-6-2024, 09:03
This is an automated message notifying you that the 5 minute load average on your system is 16.58.
This has exceeded the 10 threshold.
One Minute      - 23.81
Five Minutes    - 16.58
Fifteen Minutes - 13.33
top - 07:03:19 up 11 days, 21:49,  1 user,  load average: 23.81, 16.58, 13.33
Tasks: 291 total,  14 running, 277 sleeping,   0 stopped,   0 zombie
%Cpu(s): 72.1 us, 26.7 sy,  1.2 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem :  3879956 total,   143608 free,  1560312 used,  2176036 buff/cache
KiB Swap:  1048572 total,   837884 free,   210688 used.  1874488 avail Mem 
  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
 1216 mysql     20   0 1019456 289792   7776 S 115.2  7.5  24707:41 /usr/sbin/mysqld
13406 root      20   0   58696   2220   1488 R   6.1  0.1   0:00.03 /usr/bin/top -c -b -n 1
 4679 www8730   20   0  315908  13056   4676 R   3.0  0.3   0:12.01 php-fpm: pool www8730
12555 root      20   0       0      0      0 R   3.0  0.0   0:00.06 [kworker/0:2]
29806 apache    20   0 2167732  32572   4612 S   3.0  0.8   4124:44 /usr/sbin/httpd -DFOREGROUND
    1 root      20   0  125724   3416   2128 S   0.0  0.1   3:22.15 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
    2 root      20   0       0      0      0 S   0.0  0.0   0:00.22 [kthreadd]
    4 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 [kworker/0:0H]
    6 root      20   0       0      0      0 S   0.0  0.0   0:57.61 [ksoftirqd/0]
    7 root      rt   0       0      0      0 S   0.0  0.0   0:01.19 [migration/0]
    8 root      20   0       0      0      0 S   0.0  0.0   0:00.00 [rcu_bh]
    9 root      20   0       0      0      0 R   0.0  0.0  11:29.76 [rcu_sched]
   10 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 [lru-add-drain]
   11 root      rt   0       0      0      0 S   0.0  0.0   0:05.58 [watchdog/0]
   12 root      rt   0       0      0      0 S   0.0  0.0   0:04.98 [watchdog/1]
   13 root      rt   0       0      0      0 S   0.0  0.0   0:01.17 [migration/1]
   14 root      20   0       0      0      0 S   0.0  0.0   1:02.81 [ksoftirqd/1]
   16 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 [kworker/1:0H]
   18 root      20   0       0      0      0 S   0.0  0.0   0:00.00 [kdevtmpfs]
   19 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 [netns]
   20 root      20   0       0      0      0 S   0.0  0.0   0:01.04 [khungtaskd]
   21 root       0 -20       0      0      0 S   0.0  0.0   0:00.30 [writeback]
   22 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 [kintegrityd]
Connection counts:
      1 
      1 145.220.21.40
      1 149.210.210.109
      1 185.104.28.106
      1 185.191.171.3
      1 185.229.191.144
      1 185.31.172.243
      1 188.240.28.120
      1 194.127.172.131
      1 216.244.66.232
      1 2a01
      1 2a02
      1 2a05
      1 40.99.237.29
      1 47.128.22.50
      1 47.128.54.42
      1 47.128.55.166
      1 5.79.108.33
      1 52.230.152.172
      1 52.97.152.93
      1 52.97.205.109
      1 52.98.251.125
      1 54.36.148.127
      1 78.142.193.130
      1 81.4.72.70
      1 84.241.182.97
      1 84.244.155.225
      1 85.159.239.121
      1 93.187.10.106
      1 94.228.142.28
      1 95.179.144.7
      2 2a00
      2 72.225.43.238
      2 77.167.102.186
      2 77.249.13.28
      2 80.61.172.67
      2 81.173.68.216
      2 83.87.93.137
      4 52.230.152.191
      5 84.105.65.213
      6 140.186.240.8
      6 72.186.204.132
     19 2a03
     50 15.184.38.82
IP '15.184.38.82' currently has '50' connections
Connection info for '15.184.38.82':
tcp        0      0 136.144.190.213:80      15.184.38.82:24488      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:59637      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:26292      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:17777      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:56299      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:38517      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:56421      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:58701      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:54573      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:27351      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:37612      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:16976      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:33522      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:8305       SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:8453       SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:49965      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:25800      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:29297      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:44849      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:23967      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:60520      SYN_RECV   
tcp        0      0 136.144.190.213:80      15.184.38.82:50272      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:59340      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:38729      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:62008      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:11619      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:17703      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:22320      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:2938       SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:64441      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:51535      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:47145      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:32722      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:32859      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:50388      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:60765      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:63730      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:7265       SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:22277      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:58224      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:39568      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:36705      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:8021       SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:23862      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:28286      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:9656       SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:1892       SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:48601      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:30894      SYN_RECV   
tcp        0      0 136.144.190.213:443     15.184.38.82:57700      SYN_RECV   
Top Memory Usage:
mysql     1216  144  7.4 1019456 289800 ?      Ssl  Jun12 24707:43 /usr/sbin/mysqld
root      1018  0.0  4.1 2991380 161112 ?      Ssl  Jun12  12:12 /usr/local/directadmin/directadmin server --syslog
named     3692  0.0  2.7 247692 105220 ?       Ssl  Jun12   0:10 /usr/sbin/named -u named -c /etc/named.conf
root     16764  0.0  2.4 327168 95576 ?        Ss   03:22   0:03 spamd
root     16776  0.0  2.3 327168 93016 ?        S    03:22   0:00 spamd child
root     16775  0.0  2.3 327168 92992 ?        S    03:22   0:00 spamd child
root     17256  0.1  0.9 1529176 36080 ?       Ssl  Jun23   2:46 /usr/local/directadmin/directadmin taskq --syslog
root      3813  0.8  0.9 1530724 37440 ?       Ssl  02:00   2:33 /usr/local/directadmin/directadmin taskq --syslog
root      2382  0.0  0.9 1529176 35880 ?       Ssl  Jun22   2:32 /usr/local/directadmin/directadmin taskq --syslog
apache    2363  0.1  0.9 2165792 37408 ?       Sl   01:55   0:34 /usr/sbin/httpd -DFOREGROUND
Virtual Memory Info:
procs -----------------------memory---------------------- ---swap-- -----io---- -system-- --------cpu-------- -----timestamp-----
 r  b         swpd         free         buff        cache   si   so    bi    bo   in   cs  us  sy  id  wa  st                 GMT
29  0       210688       142472            0      2186724    0    0  1017   402   13   16  75  19   6   0   0 2024-06-24 07:03:22
27  0       210688       139568            0      2190184    0    0     0    45 2285 2280  80  20   0   0   0 2024-06-24 07:03:23
28  1       210688       137096            0      2193896    0    0    32   500 2240 2567  78  22   0   0   0 2024-06-24 07:03:24
Current MySQL Queries
1580008 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580015 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580022 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580026 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580028 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580029 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580030 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580031 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580033 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580034 www5700_1 localhost www5700_winkel  Query 1 Writing to net  SELECT `inhalte_text01`, `inhalte_css` FROM `xaranshop_inhalte` WHERE `inhalte_bezeichner` = 'oben_kopftext'  0.000
1580035 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580036 www5700_1 localhost www5700_winkel  Query 2 Writing to net  SELECT count(*) FROM `xaranshop_kategorien` WHERE `kategorien_aktiv` = 1 AND `kategorien_selbstreferenz` = 31533  0.000
1580037 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580038 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580040 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580041 www5700_1 localhost www5700_winkel  Query 0 Writing to net  SELECT count(*) FROM `xaranshop_kategorien` WHERE `kategorien_aktiv` = 1 AND `kategorien_selbstreferenz` = 10260  0.000
1580042 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580043 www5700_1 localhost www5700_winkel  Sleep 0   NULL  0.000
1580045 da_admin  localhost NULL  Query 0 init  SHOW FULL PROCESSLIST 0.000

================================
Automated Message Generated by DirectAdmin 1.664

Zhenyapan · Monday at 3:12 AM

so check website logs and see requests, which file they asking? what they send to POST request etc..

patrickkasie · Monday at 3:30 AM

Zhenyapan said:
so check website logs and see requests, which file they asking? what they send to POST request etc..

/var/log/httpd/access_log doesn't show anything relevant during this time. DOMAIN2 is not issue, I will refer to the problematic domain as DOMAIN1.

Code:

OURIP - - [24/Jun/2024:10:42:18 +0200] "GET /roundcube/?_task=login&_err=session HTTP/1.1" 200 3001 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=198514&_mbox=INBOX&_action=show" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
OURIP - - [24/Jun/2024:10:44:09 +0200] "-" 408 0 "-" "-"
147.161.172.176 - - [24/Jun/2024:10:44:36 +0200] "-" 408 2506 "-" "-"
147.161.172.176 - - [24/Jun/2024:10:44:36 +0200] "-" 408 2506 "-" "-"
101.251.238.60 - - [24/Jun/2024:10:45:05 +0200] "-" 408 3837 "-" "-"
OURIP - - [24/Jun/2024:10:46:43 +0200] "GET /roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=192241&_mbox=INBOX&_search=58bbf6d351105c83e97b708fac931fbe&_action=show HTTP/1.1" 200 3099 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
OURIP - - [24/Jun/2024:10:46:46 +0200] "POST /roundcube/?_task=login HTTP/1.1" 302 964 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=192241&_mbox=INBOX&_search=58bbf6d351105c83e97b708fac931fbe&_action=show" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
OURIP - - [24/Jun/2024:10:46:47 +0200] "GET /roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=192241&_mbox=INBOX&_search=58bbf6d351105c83e97b708fac931fbe&_action=show&_token=Fa1WT10ImdomaaUWwpvs93j51aQpQv4Q HTTP/1.1" 200 8818 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=192241&_mbox=INBOX&_search=58bbf6d351105c83e97b708fac931fbe&_action=show" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
OURIP - - [24/Jun/2024:10:46:48 +0200] "GET /roundcube/?_task=mail&_action=getunread&_remote=1&_unlock=0&_=1719218809274 HTTP/1.1" 200 992 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=192241&_mbox=INBOX&_search=58bbf6d351105c83e97b708fac931fbe&_action=show&_token=Fa1WT10ImdomaaUWwpvs93j51aQpQv4Q" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
OURIP - - [24/Jun/2024:10:46:48 +0200] "GET /roundcube/?_task=mail&_action=get&_mbox=INBOX&_uid=192241&_token=Fa1WT10ImdomaaUWwpvs93j51aQpQv4Q&_part=1.2&_embed=1&_mimeclass=image HTTP/1.1" 200 2801 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=192241&_mbox=INBOX&_search=58bbf6d351105c83e97b708fac931fbe&_action=show&_token=Fa1WT10ImdomaaUWwpvs93j51aQpQv4Q" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
OURIP - - [24/Jun/2024:10:46:48 +0200] "GET /roundcube/?_task=mail&_action=pagenav&_uid=192241&_mbox=INBOX&_remote=1&_unlock=loading1719218809304&_=1719218809273 HTTP/1.1" 200 813 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=192241&_mbox=INBOX&_search=58bbf6d351105c83e97b708fac931fbe&_action=show&_token=Fa1WT10ImdomaaUWwpvs93j51aQpQv4Q" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
OURIP - - [24/Jun/2024:10:46:50 +0200] "GET /roundcube/?_task=mail&_uid=192241&_page=1&_mbox=INBOX HTTP/1.1" 200 10639 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=192241&_mbox=INBOX&_search=58bbf6d351105c83e97b708fac931fbe&_action=show&_token=Fa1WT10ImdomaaUWwpvs93j51aQpQv4Q" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
OURIP - - [24/Jun/2024:10:46:50 +0200] "GET /roundcube/?_task=mail&_uid=192241&_page=1&_mbox=INBOX HTTP/1.1" 200 10639 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=192241&_mbox=INBOX&_search=58bbf6d351105c83e97b708fac931fbe&_action=show&_token=Fa1WT10ImdomaaUWwpvs93j51aQpQv4Q" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
OURIP - - [24/Jun/2024:10:46:51 +0200] "GET /roundcube/?_task=mail&_action=getunread&_page=1&_remote=1&_unlock=0&_=1719218812000 HTTP/1.1" 200 725 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
OURIP - - [24/Jun/2024:10:46:51 +0200] "GET /roundcube/?_task=mail&_action=list&_refresh=1&_layout=list&_mbox=INBOX&_page=&_remote=1&_unlock=loading1719218812053&_=1719218811999 HTTP/1.1" 200 3853 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_uid=192241&_page=1&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
71.6.134.233 - - [24/Jun/2024:10:47:29 +0200] "GET / HTTP/1.1" 200 2677 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36"
OURIP - - [24/Jun/2024:10:47:51 +0200] "POST /roundcube/?_task=mail&_action=refresh HTTP/1.1" 200 747 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
OURIP - - [24/Jun/2024:10:48:51 +0200] "POST /roundcube/?_task=mail&_action=refresh HTTP/1.1" 200 748 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
71.6.134.233 - - [24/Jun/2024:10:49:25 +0200] "GET /favicon.ico HTTP/2.0" 404 395 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36"
OURIP - - [24/Jun/2024:10:49:51 +0200] "POST /roundcube/?_task=mail&_action=refresh HTTP/1.1" 200 747 "http://mail.DOMAIN2.nl/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"
124.156.193.7 - - [24/Jun/2024:10:50:32 +0200] "GET / HTTP/1.1" 200 320 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1"
101.251.238.60 - - [24/Jun/2024:10:50:49 +0200] "-" 408 3837 "-" "-"

Other than that, I am looking for a reliable way to do this very thing you're wondering:

> which file they asking? what they send to POST request etc..

What is the command or commands to use to find this out?

Ohm J · Monday at 3:37 AM

This how I identify issued.

1 : Check in Resource Limits, find users have some high Task, CPU, Mem, Disk IO
2 : Read logs size of all their website.
3 : Check some logs which have hight avg size, find weird spam request URI Path.

so for your problem, start with biggest logs size of their site and find it.
No easy command to see this.

DanielP · Monday at 4:02 AM

the second vps -
IP '15.184.38.82' currently has '50' connections
Connection info for '15.184.38.82':

15.184.38.82 amazon - I have some issues with someone I think decide to teach their AI with public data for free - but pushing too hard

mine was with 3. amazon IP I ended up blocking entire range

plus some bots from Singapore 128 do the same but from multiple IPs ...

patrickkasie · Monday at 4:07 AM

1. We don't have the propack

2 and 3
VPS1

Code:

141.224.230.53 - - [24/Jun/2024:10:05:27 +0000] "GET /catalogisch/artikelauswahl.php?kids=1277_19411 HTTP/2.0" 200 4596 "https://DOMAIN1/catalogisch/artikelauswahl.php?kids=1277_19409" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
2a03:2880:13ff:26::face:b00c - - [24/Jun/2024:10:05:26 +0000] "GET /catalogisch/artikelauswahl.php?kid=30166&von=3&sb=&so1=&so2=&so3=&anzahlproseite=50 HTTP/2.0" 200 74123 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
2a03:2880:15ff:72::face:b00c - - [24/Jun/2024:10:05:27 +0000] "GET /catalogisch/artikelauswahl.php?kid=16629&von=1&sb=&so1=&so2=&so3=&anzahlproseite=50 HTTP/2.0" 200 41644 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
2a03:2880:27ff:a::face:b00c - - [24/Jun/2024:10:05:27 +0000] "GET /catalogisch/artikelauswahl.php?kid=11780&von=7&sb=&so1=&so2=&so3=&anzahlproseite=10 HTTP/2.0" 200 45388 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
2a03:2880:27ff:17::face:b00c - - [24/Jun/2024:10:05:29 +0000] "GET /catalogisch/artikelauswahl.php?kid=13397 HTTP/2.0" 200 33149 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
141.224.230.53 - - [24/Jun/2024:10:05:28 +0000] "GET /catalogisch/abbildungen/APlogo-pano.jpg HTTP/2.0" 200 18832 "https://DOMAIN1/catalogisch/artikelauswahl.php?kids=1277_19411" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
141.224.230.53 - - [24/Jun/2024:10:05:28 +0000] "GET /catalogisch/abbildungen/APveren-menu.jpg HTTP/2.0" 200 48227 "https://DOMAIN1/catalogisch/artikelauswahl.php?kids=1277_19411" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
141.224.230.53 - - [24/Jun/2024:10:05:28 +0000] "GET /catalogisch/abbildungen/APsuspension-menu.jpg HTTP/2.0" 200 37424 "https://DOMAIN1/catalogisch/artikelauswahl.php?kids=1277_19411" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
141.224.230.53 - - [24/Jun/2024:10:05:28 +0000] "GET /catalogisch/abbildungen/APschroefsets-menu.jpg HTTP/2.0" 200 41544 "https://DOMAIN1/catalogisch/artikelauswahl.php?kids=1277_19411" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
141.224.230.53 - - [24/Jun/2024:10:05:28 +0000] "GET /catalogisch/abbildungen/AP65020393.jpg HTTP/2.0" 200 32852 "https://DOMAIN1/catalogisch/artikelauswahl.php?kids=1277_19411" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"

VPS2

Code:

52.167.144.203 - - [24/Jun/2024:11:49:12 +0200] "GET /wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4-wc.8.8.5 HTTP/2.0" 200 1024 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36"
52.167.144.203 - - [24/Jun/2024:11:49:12 +0200] "GET /wp-content/plugins/woocommerce/assets/js/selectWoo/selectWoo.full.min.js?ver=1.0.9-wc.8.8.5 HTTP/2.0" 200 21903 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36"
52.167.144.203 - - [24/Jun/2024:11:49:12 +0200] "GET /wp-includes/js/jquery/ui/mouse.min.js?ver=1.13.2 HTTP/2.0" 200 1164 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36"
52.167.144.226 - - [24/Jun/2024:11:49:17 +0200] "GET /wp-content/plugins/woocommerce/assets/js/frontend/price-slider.min.js?ver=8.8.5 HTTP/2.0" 200 796 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36"
52.167.144.226 - - [24/Jun/2024:11:49:17 +0200] "GET /wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=8.8.5 HTTP/2.0" 200 854 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36"
52.167.144.226 - - [24/Jun/2024:11:49:17 +0200] "GET /wp-content/themes/shoptimizer/assets/js/sv-hover-intent.min.js?ver=1.0.0 HTTP/2.0" 200 672 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36"
2a01:7c8:aab8:aa::1 - - [24/Jun/2024:11:49:23 +0200] "POST /wp-cron.php?doing_wp_cron=1719222563.4889628887176513671875 HTTP/1.1" 200 3427 "-" "WordPress/6.5.4; https://www.DOMAIN3.nl"
3.224.220.101 - - [24/Jun/2024:11:49:20 +0200] "GET /product-categorie/parket?filter_categorie=ravenna,reseda,jewel,classic-elegance,pure-nordic,victoria,gramercy-park,purebamboo,brentwood,beverly-hills,bel-air,silver-lake,urban-contrast&filter_kleur=grijs-wit,wit-licht,geel-bruin,grijs,donkergrijs,bruin-grijs,geel-wit,lichtbruin,beige&filter_merk=boen,moso&product_cat=parket&query_type_categorie=or&query_type_kleur=or&query_type_merk=or&yith_wcan=1 HTTP/1.1" 301 3936 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
2a01:7c8:aab8:aa::1 - - [24/Jun/2024:11:51:20 +0200] "POST /wp-cron.php?doing_wp_cron=1719222680.4227468967437744140625 HTTP/1.1" 200 3427 "-" "WordPress/6.5.4; https://www.DOMAIN3.nl"
52.167.144.203 - - [24/Jun/2024:11:51:17 +0200] "GET /product-categorie/parket/?yith_wcan=1&product_cat=parket&query_type_kleur=or&filter_kleur=grijs-wit HTTP/2.0" 200 22649 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36"

Richard G · Monday at 6:48 AM

We also had various attacks of amazonaws.com and also ended up just blocking these ip's.
Have send in abuse messages a couple of times but that is of little help.

patrickkasie · Monday at 6:53 AM

I ended up blocking a couple of netblocks/24, for example these ones from Sundance International LLC:

AS40355 Sundance International LLC details - IPInfo.io

AS40355 autonomous system information: WHOIS details, hosted domains, peers, upstreams, downstreams, and more

ipinfo.io

patrickkasie · Tuesday at 1:08 AM

The attacks kept going, so the customer has just decided that they want to move to a new dedicated VPS. However, I assume this isn't going to solve anything if the traffic still goes through TransIP instead of Cloudflare. It's just an assumption, but is it a sound one?

Ohm J · Tuesday at 1:13 AM

your problem must config csf firewall to detect ddos on 80 and 443.

relate config are "PORTFLOOD" and "CT_LIMIT",
I can't provide recommend value, it up to you to tuning.

this will automatics blocked if incoming pass over PORTFLOOD.

patrickkasie · Tuesday at 1:23 AM

I've just realized the option PORTFLOOD wasn't enabled at this time. But CONNLIMIT was active during this whole ordeal. So CONNLIMIT did not catch it with the following settings:
CONNLIMIT=80;50,443;50

CT_LIMIT was set at 100 and must have also been too high

Does portflood work with this type of attack? And at what value would be good? 20? 5?

Ohm J · Tuesday at 1:28 AM

You need to make sure, it's not impact to normal client.

it work same as when you refresh your web browser too fast.

patrickkasie · Tuesday at 3:15 AM

Portflood at 10 did not seem to have any effect. I don't want to put it any lower as the highest legitimate real user's connection number is 6, so we're stuck with the Cloudflare solution. Or the moving solution. But I'd like to know if we can solve it ourselves using DirectAdmin. If the answer is no, then all of our servers will need a Cloudflare solution, because every single domainname could potentially have this problem.

@smtalk

Ohm J · Tuesday at 3:51 AM

This from my experiments story,

I completely tuning firewall layer 4, 7 longtime ago, but one of my client site still take too much load.

I decide to check their coding site and see too many curl/ slowdown function like mysql select big data. and then I send them request to fixed their site for these issued.

After they fixed their site problem, the load just back to normal.

this is my portflood look like ( just example)

Code:

PORTFLOOD = “443;tcp;25;3”

I can tuning sensitive ways, because I have automatics unblocked via csf messengerv3.

p.s. place on cloudflare will bad result without fixed root cause issued.

Server exploit? High load

patrickkasie

Verified User

Zhenyapan

Verified User

patrickkasie

Verified User

Ohm J

Verified User

DanielP

Verified User

patrickkasie

Verified User

Richard G

Verified User

patrickkasie

Verified User

AS40355 Sundance International LLC details - IPInfo.io

patrickkasie

Verified User

Ohm J

Verified User

patrickkasie

Verified User

Ohm J

Verified User

patrickkasie

Verified User

Ohm J

Verified User