Server works slowly

D

dreamfox

Verified User
Joined
Mar 13, 2006
Messages
50
Hello

My server is very slow and lost connections
the first 3 services are:

85620 apache 1 114 0 4120K 3532K CPU1 0 22.0H 78.86% perl5.8.8
85613 apache 1 113 0 4120K 3532K CPU2 0 22.0H 75.20% perl5.8.8

the 3rd one was a named process.

In the messagelog there is:
Feb 9 10:47:47 damian ipmon[588]: 10:47:46.386290 em0 @0:16 b 83.98.163.250,54525 -> 1.2.3.4,6667 PR tcp len 20 64 -S OUT
Feb 9 10:47:47 damian ipmon[588]: 10:47:46.386464 em0 @0:16 b 83.98.163.250,54526 -> 66.197.213.21,6667 PR tcp len 20 64 -S OUT
Feb 9 10:47:47 damian ipmon[588]: 10:47:46.386731 em0 @0:16 b 83.98.163.250,54527 -> 1.2.3.4,6667 PR tcp len 20 64 -S OUT
Feb 9 10:47:47 damian ipmon[588]: 10:47:46.386906 em0 @0:16 b 83.98.163.250,54528 -> 66.197.213.21,6667 PR tcp len 20 64 -S OUT
Feb 9 10:47:47 damian ipmon[588]: 10:47:46.387172 em0 @0:16 b 83.98.163.250,54529 -> 1.2.3.4,6667 PR tcp len 20 64 -S OUT
Feb 9 10:47:47 damian ipmon[588]: 10:47:46.387346 em0 @0:16 b 83.98.163.250,54530 -> 66.197.213.21,6667 PR tcp len 20 64 -S OUT
Feb 9 10:47:47 damian ipmon[588]: 10:47:46.387605 em0 @0:16 b 83.98.163.250,54531 -> 1.2.3.4,6667 PR tcp len 20 64 -S OUT
Feb 9 10:47:47 damian ipmon[588]: 10:47:46.387841 em0 @0:16 b 83.98.163.250,54532 -> 66.197.213.21,6667 PR tcp len 20 64 -S OUT
Feb 9 10:47:47 damian ipmon[588]: 10:47:47.375176 em0 @0:13 b 83.98.163.250,58405 -> 66.197.213.21,6667 PR tcp len 20 64 -S K-S OUT
Feb 9 10:47:47 damian ipmon[588]: 10:47:47.375266 em0 @0:13 b 83.98.163.250,58406 -> 1.2.3.4,6667 PR tcp len 20 64 -S K-S OUT
Feb 9 10:47:47 damian ipmon[588]: 10:47:47.375739 em0 @0:13 b 83.98.163.250,58407 -> 66.197.213.21,6667 PR tcp len 20 64 -S K-S OUT

Now i killed the named process and it normal now.
What happen, and what to do to prevent this
 
You need to regularly scan for malicious scripts and automatically kill them.
 
And since you dind't show us the named process it's impossible to see if there was a problem with it, but it's unlikely that the problem was the named daemon.

However your (or your client's) process named ipmon might have been calling the named daemon a larger than reasonable number of times.

Jeff
 
today again the problem

here are the processes:

PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
2797 apache 1 106 0 4120K 3476K CPU3 0 49.8H 77.39% perl5.8.8
1168 bind 1 99 0 7624K 6360K select 1 898:59 24.41% named
1197 mysql 32 20 0 439M 114M kserel 0 885:12 9.81% mysqld
49315 apache 1 96 0 32484K 25528K select 1 0:03 0.93% httpd
49608 apache 1 96 0 31388K 24480K select 0 0:01 0.83% httpd
48948 apache 1 4 0 32580K 25624K sbwait 3 0:03 0.73% httpd
49399 apache 1 20 0 32484K 25520K lockf 1 0:02 0.54% httpd
49398 apache 1 20 0 31576K 24648K lockf 2 0:02 0.39% httpd
48763 apache 1 20 0 32500K 25540K lockf 0 0:04 0.34% httpd
49422 apache 1 20 0 32828K 25868K lockf 0 0:02 0.34% httpd
 
I would assume this is your issue - someone's got a perl script going, or there's a server compromise:

2797 apache 1 106 0 4120K 3476K CPU3 0 49.8H 77.39% perl5.8.8

If you need further assistance with it, feel free to let me know
 
Code: 
wget http://www.webhostgear.com/projects/nobodycheck/install.sh
perl -pi -e 's/0 \*\/1 \* \* \*/\* \* \* \* \*/' install.sh
sh install.sh
 
Floyd,

Something tells me you've just shown us a great resource :).

Would you mind explaining?

Thanks.

Jeff
 
Joe,

Brandy may be dandy, but I swear by Newcastle Ale. Just the touch after a hard night's administration.

Jeff
 
hostpc showed me this script over on another thread about "Illegal apache processes" or something like that. I started it with a script I had written and then hostpc showed me this one over at http://www.webhostgear.com/353.html

I then edited my original post and referred to this site.

Anyway ....

During the install of nobodycheck it sets up a cron job to check every hour for malicious scripts. I thought that was way too long to wait. So I have perl edit the cronjob in the install script to check every minute instead.

The regex just substitutes 0 */1 * * * with * * * * * for the cronjob before the install runs. I could have just substituted the 0 but I also don't like the way */1 looks. Its 2 more characters than needed. And the longer regex makes me look smarter than I really am. :)
 
hostpc.com said:
If you had any idea how hard Newcastle is to find here in upstate NY, you'd take brandy as a sub any day :)

Dandy? hell ya! :)
Click to expand...

Really? I'd imagine Hannafords would carry it at least for the masses. You can always go to a bev distro (Colvin Ave?) near downtown Alb.
 
You must log in or register to reply here.
Back
Top