hoge load, veel verkeer, httpd process

**blackdragon** · 31/03/09 08:58

Heey mensen,

Sinds vandaag is me opgevallen op mijn dedi server dat de load heel erg schommelt tussen 0,2 - 15.00, er worden tig httpd proccessen gestart en heb ongeveer 50mbit out aan data verkeer.

Echter heb ik geprobeerd servers-status te activeren maar dat lukt me maar niet. om te achterhalen welke site nou zoveel load trekt / of het überhaupt wel een site is.

Weet iemand hier zo een ander handig tooltje?

met netstat kwam ik er ook niet uit.

en dit moet dan weer uitgerekend net weer op mijn verjaardag gebeuren

**mikeh** · 31/03/09 09:15

Hi.

Het kan zijn dat je server gehackt is. En de data wat verstuurd wordt ( 50mbit ) 'udp' pakketjes zijn.
Kun je dit verifiëren ?

ls -la /tmp/
ls -la /var/tmp/

ps -aux
top (optioneel)

**blackdragon** · 31/03/09 09:24

Code:

[root@srv1 ~]# ps -aux
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   2064   288 ?        Ss   Mar01   0:05 init [3]
root         2  0.0  0.0      0     0 ?        S<   Mar01   0:00 [migration/0]
root         3  0.0  0.0      0     0 ?        SN   Mar01   0:00 [ksoftirqd/0]
root         4  0.0  0.0      0     0 ?        S<   Mar01   0:00 [watchdog/0]
root         5  0.0  0.0      0     0 ?        S<   Mar01   0:00 [migration/1]
root         6  0.0  0.0      0     0 ?        SN   Mar01   0:00 [ksoftirqd/1]
root         7  0.0  0.0      0     0 ?        S<   Mar01   0:00 [watchdog/1]
root         8  0.0  0.0      0     0 ?        S<   Mar01   0:00 [events/0]
root         9  0.0  0.0      0     0 ?        S<   Mar01   0:00 [events/1]
root        10  0.0  0.0      0     0 ?        S<   Mar01   0:00 [khelper]
root        11  0.0  0.0      0     0 ?        S<   Mar01   0:00 [kthread]
root        15  0.0  0.0      0     0 ?        S<   Mar01   0:00 [kblockd/0]
root        16  0.0  0.0      0     0 ?        S<   Mar01   0:04 [kblockd/1]
root        17  0.0  0.0      0     0 ?        S<   Mar01   0:00 [kacpid]
root        91  0.0  0.0      0     0 ?        S<   Mar01   0:00 [cqueue/0]
root        92  0.0  0.0      0     0 ?        S<   Mar01   0:00 [cqueue/1]
root        95  0.0  0.0      0     0 ?        S<   Mar01   0:00 [khubd]
root        97  0.0  0.0      0     0 ?        S<   Mar01   0:00 [kseriod]
root       168  0.0  0.0      0     0 ?        S<   Mar01   2:11 [kswapd0]
root       169  0.0  0.0      0     0 ?        S<   Mar01   0:00 [aio/0]
root       170  0.0  0.0      0     0 ?        S<   Mar01   0:00 [aio/1]
root       330  0.0  0.0      0     0 ?        S<   Mar01   0:00 [kpsmoused]
root       360  0.0  0.0      0     0 ?        S<   Mar01   0:00 [ata/0]
root       361  0.0  0.0      0     0 ?        S<   Mar01   0:00 [ata/1]
root       362  0.0  0.0      0     0 ?        S<   Mar01   0:00 [ata_aux]
root       366  0.0  0.0      0     0 ?        S<   Mar01   0:00 [scsi_eh_0]
root       367  0.0  0.0      0     0 ?        S<   Mar01   0:00 [scsi_eh_1]
root       368  0.0  0.0      0     0 ?        S<   Mar01   3:50 [kjournald]
root       395  0.0  0.0      0     0 ?        S<   Mar01   0:03 [kauditd]
root       429  0.0  0.0   2248   172 ?        S<s  Mar01   0:00 /sbin/udevd -d
dovecot    559  0.0  0.1   4800  1792 ?        S    Mar30   0:00 pop3-login
root       877  0.0  0.0      0     0 ?        S<   Mar01   0:00 [kedac]
root      1074  0.0  0.0   4484   204 ?        S    Mar16   0:00 /bin/sh /usr/local/zenoss/mysql/bin/safe_mys
mysql     1132  0.0  0.7 109484  8172 ?        Sl   Mar16   3:08 /usr/local/zenoss/mysql/bin/mysqld.bin --def
root      1299  0.0  0.0      0     0 ?        S<   Mar01   0:00 [kmpathd/0]
root      1300  0.0  0.0      0     0 ?        S<   Mar01   0:00 [kmpathd/1]
zenoss    1305  0.0  0.0  11612   932 ?        Ss   Mar16   0:00 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1306  0.0  0.3  14736  3108 ?        S    Mar16   0:07 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1309  0.0  0.0   9724   824 ?        Ss   Mar16   0:00 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1310  0.0  2.7 119088 28120 ?        Sl   Mar16   1:47 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1325  0.0  1.3  50772 13764 ?        S    Mar16  11:50 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1375  0.0  2.2  42328 23372 ?        Sl   Mar16   1:02 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1379  0.0  2.2  42196 22836 ?        Sl   Mar16   0:09 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1383  0.0  2.2  42208 22932 ?        Sl   Mar16   0:49 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1413  0.0  1.0  49324 11064 ?        S    Mar16   0:56 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1463  0.0  2.2  43212 23156 ?        Sl   Mar16   0:09 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1467  0.0  2.4  50164 25268 ?        Sl   Mar16   6:25 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1482  0.0  2.3  44156 24208 ?        Sl   Mar16   0:27 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1498  0.0  2.2  42580 23352 ?        Sl   Mar16   0:32 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1514  0.0  2.2  43704 23396 ?        Sl   Mar16   0:25 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1546  0.0  3.9  65088 40844 ?        Sl   Mar16   2:54 /usr/local/zenoss/python/bin/.python.bin /us
zenoss    1574  0.0  3.9  64864 40760 ?        Sl   Mar16   3:01 /usr/local/zenoss/python/bin/.python.bin /us
root      1905  0.0  0.0  13176   532 ?        S<sl Mar01   1:12 auditd
root      1907  0.0  0.0  14100   748 ?        S<sl Mar01   0:18 /sbin/audispd
root      1999  0.0  0.0   1716   380 ?        Ss   Mar01   0:25 syslogd -m 0
root      2002  0.0  0.0   1668   256 ?        Ss   Mar01   0:00 klogd -x
rpc       2052  0.0  0.0   1804   272 ?        Ss   Mar01   0:00 portmap
root      2089  0.0  0.0   1848   280 ?        Ss   Mar01   0:00 rpc.statd
root      2134  0.0  0.0   5440   144 ?        Ss   Mar01   0:00 rpc.idmapd
dbus      2161  0.0  0.0   2744   672 ?        Ss   Mar01   0:01 dbus-daemon --system
root      2176  0.0  0.0   2144   224 ?        Ss   Mar01   0:00 /usr/sbin/hcid
root      2207  0.0  0.0      0     0 ?        S<   Mar01   0:00 [krfcommd]
root      2255  0.0  0.0  12720   420 ?        Ssl  Mar01   0:01 pcscd
root      2279  0.0  0.0   1908   216 ?        Ss   Mar01   0:00 /usr/bin/hidd --server
root      2299  0.0  0.0  14704   564 ?        Ssl  Mar01   0:00 automount
root      2322  0.0  0.0   1668   220 ?        Ss   Mar01   0:00 /usr/sbin/acpid
root      2337  0.0  0.0   1864   524 ?        Ss   Mar01   0:02 dovecot
root      2354  0.0  0.0   2956  1020 ?        S    Mar01   0:05 dovecot-auth
root      2387  0.0  0.0   2720   232 ?        Ss   Mar01   0:00 xinetd -stayalive -pidfile /var/run/xinetd.p
mail      2515  0.0  0.0   8780   412 ?        Ss   Mar01   0:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.p
root      2531  0.0  0.0   1896   264 ?        Ss   Mar01   0:00 gpm -m /dev/input/mice -t exps2
ftp       2566  0.0  0.1   5760  1248 ?        SLs  Mar01   0:00 proftpd: (accepting connections)
root      2581  0.0  0.0   5260   456 ?        Ss   Mar01   0:09 crond
xfs       2610  0.0  0.0   3464   248 ?        Ss   Mar01   0:00 xfs -droppriv -daemon
root      2639  0.0  0.0   2240   232 ?        Ss   Mar01   0:00 /usr/sbin/atd
68        2690  0.0  0.0   5464   804 ?        Ss   Mar01   0:00 hald
root      2691  0.0  0.0   3132   240 ?        S    Mar01   0:00 hald-runner
68        2698  0.0  0.0   1988   196 ?        S    Mar01   0:00 hald-addon-acpi: listening on acpid socket /
root      2729  0.0  0.2  25764  2664 ?        SN   Mar01   0:01 /usr/bin/python -tt /usr/sbin/yum-updatesd
root      2732  0.0  0.0   2684   616 ?        SN   Mar01   0:00 /usr/libexec/gam_server
nagios    2786  0.0  0.0  12784   732 ?        Ssl  Mar01   0:01 /usr/local/nagios/bin/nagios -d /usr/local/n
root      2807  0.0  0.0   1984   420 ?        S    Mar01   0:00 /usr/sbin/smartd -q never
root      2810  0.0  0.0   1652   156 tty1     Ss+  Mar01   0:00 /sbin/mingetty tty1
root      2811  0.0  0.0   1656   156 tty2     Ss+  Mar01   0:00 /sbin/mingetty tty2
root      2812  0.0  0.0   1652   156 tty3     Ss+  Mar01   0:00 /sbin/mingetty tty3
root      2813  0.0  0.0   1652   156 tty4     Ss+  Mar01   0:00 /sbin/mingetty tty4
root      2819  0.0  0.0   1656   156 tty5     Ss+  Mar01   0:00 /sbin/mingetty tty5
root      2822  0.0  0.0   1652   156 tty6     Ss+  Mar01   0:00 /sbin/mingetty tty6
root      6470  0.0  0.3  36712  3704 ?        Sl   Mar17   0:08 ./sc_serv
named     7037  0.0  0.6  69136  6408 ?        Ssl  Mar05   2:27 /usr/sbin/named -u named
root      7068  0.0  0.0   9736   884 ?        Ss   Mar05   0:00 cupsd
avahi     7093  0.0  0.0   2564   760 ?        Ss   Mar05   0:00 avahi-daemon: running [srv1.local]
avahi     7094  0.0  0.0   2564   108 ?        Ss   Mar05   0:00 avahi-daemon: chroot helper
root      7731  0.0  0.1  14136  1336 ?        Ss   Mar05   0:01 smbd -D
root      7734  0.0  0.0  14136    84 ?        S    Mar05   0:00 smbd -D
root      7735  0.0  0.0   9320   808 ?        Ss   Mar05   0:00 nmbd -D
root      9476  0.0  0.2 174144  2132 ?        SNl  Mar01  23:48 ./server_linux
root     10027  0.0  0.0      0     0 ?        S<   Mar10   0:00 [loop0]
root     10028  0.0  0.0      0     0 ?        S<   Mar10   0:00 [kjournald]
dovecot  15493  0.0  0.1   4800  1788 ?        S    Mar27   0:00 pop3-login
dovecot  15539  0.0  0.1   4804  1792 ?        S    Mar27   0:00 pop3-login
dovecot  15810  0.0  0.1   4804  1792 ?        S    Mar27   0:00 pop3-login
dovecot  15850  0.0  0.1   4804  1788 ?        S    Mar27   0:00 pop3-login
dovecot  15880  0.0  0.1   4800  1792 ?        S    Mar27   0:00 pop3-login
dovecot  15912  0.0  0.1   4800  1784 ?        S    Mar27   0:00 pop3-login
dovecot  15932  0.0  0.1   4800  1784 ?        S    Mar27   0:00 pop3-login
dovecot  16122  0.0  0.1   4800  1784 ?        S    Mar27   0:00 pop3-login
dovecot  16556  0.0  0.1   4804  1792 ?        S    Mar27   0:00 pop3-login
dovecot  16580  0.0  0.1   4804  1792 ?        S    Mar27   0:00 pop3-login
dovecot  16888  0.0  0.1   4804  1788 ?        S    Mar27   0:00 pop3-login
root     20373  0.0  0.0      0     0 ?        S    Mar23   0:00 [pdflush]
root     20795  0.0  0.0      0     0 ?        S    Mar23   0:00 [pdflush]
root     20871  0.0  0.0   4524   208 ?        S    Mar05   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/
mysql    20893  0.0  1.3  38860 13996 ?        S    Mar05   0:04 /usr/sbin/mysqld --basedir=/ --datadir=/var/
mysql    20894  0.0  1.3  38860 13996 ?        S    Mar05   0:05 /usr/sbin/mysqld --basedir=/ --datadir=/var/
mysql    20895  0.0  1.3  38860 13996 ?        S    Mar05   0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/
mysql    20896  0.0  1.3  38860 13996 ?        S    Mar05   0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/
mysql    20897  0.0  1.3  38860 13996 ?        S    Mar05   0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/
mysql    20898  0.0  1.3  38860 13996 ?        S    Mar05   0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/
mysql    20900  0.0  1.3  38860 13996 ?        S    Mar05   0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/
mysql    20901  0.0  1.3  38860 13996 ?        S    Mar05   0:01 /usr/sbin/mysqld --basedir=/ --datadir=/var/
mysql    20902  0.0  1.3  38860 13996 ?        S    Mar05   0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/
mysql    20903  0.0  1.3  38860 13996 ?        S    Mar05   0:14 /usr/sbin/mysqld --basedir=/ --datadir=/var/
root     21248  0.0  0.2  34548  2144 ?        Ss   Mar18   0:00 /usr/bin/spamd -d -c -m5 -H -r /var/run/spam
root     21250  0.0  0.1  34548  1244 ?        S    Mar18   0:00 spamd child
root     21251  0.0  0.1  34548  1276 ?        S    Mar18   0:00 spamd child
dovecot  21788  0.0  0.1   4808  1796 ?        S    Mar30   0:00 imap-login
dovecot  21875  0.0  0.1   4808  1792 ?        S    Mar30   0:00 imap-login
dovecot  22836  0.0  0.1   4804  1792 ?        S    Mar30   0:00 imap-login
dovecot  22838  0.0  0.1   4804  1788 ?        S    Mar30   0:00 imap-login
root     22996  0.0  0.2  25944  2376 ?        Sl   Mar18   0:38 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/r
dovecot  23072  0.0  0.1   4804  1784 ?        S    Mar30   0:00 imap-login
dovecot  23074  0.0  0.1   4808  1792 ?        S    Mar30   0:00 imap-login
dovecot  23435  0.0  0.1   4804  1792 ?        S    Mar30   0:00 imap-login
dovecot  23985  0.0  0.1   4808  1792 ?        S    Mar30   0:00 imap-login
dovecot  24238  0.0  0.1   4808  1792 ?        S    Mar30   0:00 imap-login
root     25664  0.0  0.1   7044  1052 ?        Ss   Mar26   0:00 /usr/sbin/sshd
root     25917  0.1  7.7 104292 79796 pts/4    Sl+  07:48   0:08 ./hlds_i686 -game cstrike -autoupdate +maxpl
dovecot  26169  0.0  0.1   4804  1788 ?        S    07:59   0:00 imap-login
dovecot  26224  0.0  0.1   4804  1788 ?        S    Mar30   0:00 imap-login
dovecot  26494  0.0  0.1   4804  1788 ?        S    Mar28   0:00 pop3-login
dovecot  26574  0.0  0.1   4804  1784 ?        S    Mar30   0:00 imap-login
dovecot  26608  0.0  0.1   4804  1784 ?        S    Mar28   0:00 pop3-login
dovecot  27959  0.0  0.1   4804  1788 ?        S    Mar30   0:00 imap-login
dovecot  27961  0.0  0.1   4804  1792 ?        S    Mar30   0:00 imap-login
dovecot  27991  0.0  0.1   4808  1792 ?        S    Mar30   0:00 imap-login
dovecot  27993  0.0  0.1   4808  1796 ?        S    Mar30   0:00 imap-login
root     28051  0.0  1.1  23944 11572 ?        Ss   08:58   0:00 /usr/sbin/httpd -k start -DSSL
apache   28053  0.0  1.0  23944 10420 ?        S    08:58   0:00 /usr/sbin/httpd -k start -DSSL
apache   28055  4.4  1.2  26300 12940 ?        S    08:58   0:33 /usr/sbin/httpd -k start -DSSL
apache   28056  4.4  1.1  24456 11556 ?        S    08:58   0:33 /usr/sbin/httpd -k start -DSSL
apache   28059  4.5  1.1  24712 11776 ?        S    08:58   0:34 /usr/sbin/httpd -k start -DSSL
root     28110  0.0  0.0   3136   540 ?        Ss   08:59   0:00 /usr/local/directadmin/da-popb4smtp
nobody   28144  0.0  0.1   8800  1324 ?        Ss   08:59   0:00 /usr/local/directadmin/directadmin d
apache   28186  0.0  1.1  24340 11396 ?        S    09:00   0:00 /usr/sbin/httpd -k start -DSSL
apache   28189  0.9  1.4  28416 14932 ?        S    09:00   0:05 /usr/sbin/httpd -k start -DSSL
apache   28190  0.0  1.2  25932 13308 ?        S    09:00   0:00 /usr/sbin/httpd -k start -DSSL
root     28263  0.0  0.2  10056  2824 ?        Ss   09:02   0:00 sshd: root@pts/1
root     28265  0.0  0.1   4664  1464 pts/1    Ss   09:02   0:00 -bash
nobody   28364  0.0  0.0   8800   584 ?        S    09:04   0:00 /usr/local/directadmin/directadmin d
nobody   28365  0.0  0.0   8800   584 ?        S    09:04   0:00 /usr/local/directadmin/directadmin d
nobody   28367  0.0  0.0   8800   584 ?        S    09:04   0:00 /usr/local/directadmin/directadmin d
nobody   28373  0.0  0.0   8800   584 ?        S    09:04   0:00 /usr/local/directadmin/directadmin d
nobody   28374  0.0  0.0   8800   584 ?        S    09:04   0:00 /usr/local/directadmin/directadmin d
root     28434  0.1 10.2 131140 106232 pts/2   Sl+  Mar24  13:46 ./hlds_i686 -game cstrike -autoupdate +maxpl
dovecot  28525  0.0  0.1   4804  1784 ?        S    09:08   0:00 pop3-login
apache   28531  0.0  1.0  23944 10356 ?        S    09:08   0:00 /usr/sbin/httpd -k start -DSSL
apache   28532  0.0  1.0  23944 10356 ?        S    09:08   0:00 /usr/sbin/httpd -k start -DSSL
dovecot  28538  0.0  0.1   4804  1788 ?        S    09:08   0:00 pop3-login
apache   28542  0.0  1.0  23944 10368 ?        S    09:08   0:00 /usr/sbin/httpd -k start -DSSL
apache   28543  0.0  1.0  23944 10396 ?        S    09:08   0:00 /usr/sbin/httpd -k start -DSSL
root     28582  0.0  0.0   4244   948 pts/1    R+   09:10   0:00 ps -aux
root     29810  0.0  0.0   5048   868 ?        Ss   Mar18   0:01 SCREEN -S armandcs ./hlds_run -game cstrike
root     29811  0.0  0.0   4488   972 pts/2    Ss+  Mar18   0:00 /bin/sh ./hlds_run -game cstrike -autoupdate
root     31780  0.0  0.1   4916  1104 ?        Ss   Mar30   0:00 SCREEN -s robCS ./hlds_run -game cstrike -au
root     31781  0.0  0.1   4484  1168 pts/4    Ss+  Mar30   0:00 /bin/sh ./hlds_run -game cstrike -autoupdate

Code:

[root@srv1 ~]# ls -la /tmp/
total 1344
drwxrwxrwt  3 root   root    12288 Mar 31 09:08 .
drwxr-xr-x 25 root   root     4096 Mar  5 23:10 ..
drwx------  2 root   root    16384 Mar 10 11:49 lost+found
-rw-------  1 apache apache     75 Mar 30 17:42 sess_0272d71f4d8986863364c62ebff4b283
-rw-------  1 apache apache    155 Mar 30 20:55 sess_02b3d05f001d0ed75026391a64306e70
-rw-------  1 apache apache     33 Mar 31 08:29 sess_0a172ed9a2b85d65b18a528d973f0074
-rw-------  1 apache apache     46 Mar 30 15:07 sess_12270b1e841426e2256ee65ee0ce71e7
-rw-------  1 apache apache     46 Mar 30 15:09 sess_19e87c05c107e79308a9fb0b35d581ab
-rw-------  1 apache apache     84 Mar 30 14:53 sess_28db2ab86b82d37da3d0cb26c9f64d99
-rw-------  1 apache apache     84 Mar 30 14:55 sess_2a4fe3af7b582d89a4908aff600cc42d
-rw-------  1 apache apache    156 Mar 30 21:26 sess_309bba86cd6f64102383dc7a3ae94825
-rw-------  1 apache apache 295751 Mar 31 09:08 sess_30a70350449fb5bf064eae4f0a677afd
-rw-------  1 apache apache     78 Mar 31 01:31 sess_30b33e245f74f70afa4fd49b35952861
-rw-------  1 apache apache     84 Mar 30 16:15 sess_33aca9ff1bdfceb3dda2efc7f6a56b80
-rw-------  1 apache apache    171 Mar 30 20:52 sess_3454da7f6588ce48de2c8fa31440fe89
-rw-------  1 apache apache    156 Mar 31 00:53 sess_34fd6ebc580907c54c82c7a643bc19d6
-rw-------  1 apache apache     46 Mar 30 15:07 sess_3def1eb09109b0f618584e4a609efc88
-rw-------  1 apache apache     84 Mar 30 14:45 sess_3e9ca1a6f64ecb9430c93856e27bd1d5
-rw-------  1 apache apache     84 Mar 30 14:59 sess_426ee24bb063a5726a7fdc7f8c91cf55
-rw-------  1 apache apache     84 Mar 30 15:07 sess_43b50ea741015602566cee1c4f7dccf3
-rw-------  1 apache apache     77 Mar 31 00:54 sess_49696674e564ecf435910d8a60d96b13
-rw-------  1 apache apache     37 Mar 30 20:53 sess_52a26a872a97e834bfe16796aa7a93d5
-rw-------  1 apache apache     84 Mar 30 14:30 sess_5e995c7a9dcffa5ba1b1641febd8b26c
-rw-------  1 apache apache     46 Mar 30 15:09 sess_7945c334f10dc91ffff1ce8ba86365ea
-rw-------  1 apache apache     84 Mar 30 15:00 sess_7f2e1fb8886bc8530ce2ac07fe6d16a9
-rw-------  1 apache apache     39 Mar 30 22:20 sess_7f869de33a6a50a3fd564d6ff4d36821
-rw-------  1 apache apache     46 Mar 30 15:10 sess_87d138b4eadcc7dacf5aef44d3038892
-rw-------  1 apache apache 291756 Mar 30 23:07 sess_885b24a048e6522df9759c1365665b9d
-rw-------  1 apache apache 291756 Mar 30 20:00 sess_9056cfec6d2d8f0cb9869de124694e6f
-rw-------  1 apache apache     84 Mar 30 14:56 sess_942095a866a9af7e3a6975e73b0b380b
-rw-------  1 apache apache     84 Mar 30 14:49 sess_9ac97e9cb08f261cba8d58509eab2bca
-rw-------  1 apache apache     46 Mar 30 15:08 sess_a31d7d3613d91b651476f76c7a97fc24
-rw-------  1 apache apache     84 Mar 30 14:52 sess_a7a1ec03ed1be69a7cd2b3dc24475451
-rw-------  1 apache apache     84 Mar 30 14:50 sess_ba280596f946d2b4d3c99e8ecd61fdea
-rw-------  1 apache apache    165 Mar 30 16:15 sess_c17923b1ccee50b8591670499f71344c
-rw-------  1 apache apache     84 Mar 30 14:46 sess_c55ef29782c67042ae7e94c7193ce496
-rw-------  1 apache apache     84 Mar 30 14:57 sess_c631864c2f50a253b8da46e11b9302a8
-rw-------  1 apache apache     84 Mar 30 14:48 sess_c6cf5b39cf9deff5336330e8911f406c
-rw-------  1 apache apache    171 Mar 30 21:28 sess_d74bac2551ef5a036ca9dc1d1f9cc50c
-rw-------  1 apache apache 291756 Mar 30 21:17 sess_ee09864b019aa54ce68dbc58024825c3
-rw-------  1 apache apache    165 Mar 31 08:46 sess_eea70e0104018921d6d548e352442cc5

Code:

[root@srv1 ~]# ls -la /var/tmp/
total 1344
drwxrwxrwt  3 root   root    12288 Mar 31 09:08 .
drwxr-xr-x 25 root   root     4096 Mar  5 23:10 ..
drwx------  2 root   root    16384 Mar 10 11:49 lost+found
-rw-------  1 apache apache     75 Mar 30 17:42 sess_0272d71f4d8986863364c62ebff4b283
-rw-------  1 apache apache    155 Mar 30 20:55 sess_02b3d05f001d0ed75026391a64306e70
-rw-------  1 apache apache     33 Mar 31 08:29 sess_0a172ed9a2b85d65b18a528d973f0074
-rw-------  1 apache apache     46 Mar 30 15:07 sess_12270b1e841426e2256ee65ee0ce71e7
-rw-------  1 apache apache     46 Mar 30 15:09 sess_19e87c05c107e79308a9fb0b35d581ab
-rw-------  1 apache apache     84 Mar 30 14:53 sess_28db2ab86b82d37da3d0cb26c9f64d99
-rw-------  1 apache apache     84 Mar 30 14:55 sess_2a4fe3af7b582d89a4908aff600cc42d
-rw-------  1 apache apache    156 Mar 30 21:26 sess_309bba86cd6f64102383dc7a3ae94825
-rw-------  1 apache apache 295751 Mar 31 09:08 sess_30a70350449fb5bf064eae4f0a677afd
-rw-------  1 apache apache     78 Mar 31 01:31 sess_30b33e245f74f70afa4fd49b35952861
-rw-------  1 apache apache     84 Mar 30 16:15 sess_33aca9ff1bdfceb3dda2efc7f6a56b80
-rw-------  1 apache apache    171 Mar 30 20:52 sess_3454da7f6588ce48de2c8fa31440fe89
-rw-------  1 apache apache    156 Mar 31 00:53 sess_34fd6ebc580907c54c82c7a643bc19d6
-rw-------  1 apache apache     46 Mar 30 15:07 sess_3def1eb09109b0f618584e4a609efc88
-rw-------  1 apache apache     84 Mar 30 14:45 sess_3e9ca1a6f64ecb9430c93856e27bd1d5
-rw-------  1 apache apache     84 Mar 30 14:59 sess_426ee24bb063a5726a7fdc7f8c91cf55
-rw-------  1 apache apache     84 Mar 30 15:07 sess_43b50ea741015602566cee1c4f7dccf3
-rw-------  1 apache apache     77 Mar 31 00:54 sess_49696674e564ecf435910d8a60d96b13
-rw-------  1 apache apache     37 Mar 30 20:53 sess_52a26a872a97e834bfe16796aa7a93d5
-rw-------  1 apache apache     84 Mar 30 14:30 sess_5e995c7a9dcffa5ba1b1641febd8b26c
-rw-------  1 apache apache     46 Mar 30 15:09 sess_7945c334f10dc91ffff1ce8ba86365ea
-rw-------  1 apache apache     84 Mar 30 15:00 sess_7f2e1fb8886bc8530ce2ac07fe6d16a9
-rw-------  1 apache apache     39 Mar 30 22:20 sess_7f869de33a6a50a3fd564d6ff4d36821
-rw-------  1 apache apache     46 Mar 30 15:10 sess_87d138b4eadcc7dacf5aef44d3038892
-rw-------  1 apache apache 291756 Mar 30 23:07 sess_885b24a048e6522df9759c1365665b9d
-rw-------  1 apache apache 291756 Mar 30 20:00 sess_9056cfec6d2d8f0cb9869de124694e6f
-rw-------  1 apache apache     84 Mar 30 14:56 sess_942095a866a9af7e3a6975e73b0b380b
-rw-------  1 apache apache     84 Mar 30 14:49 sess_9ac97e9cb08f261cba8d58509eab2bca
-rw-------  1 apache apache     46 Mar 30 15:08 sess_a31d7d3613d91b651476f76c7a97fc24
-rw-------  1 apache apache     84 Mar 30 14:52 sess_a7a1ec03ed1be69a7cd2b3dc24475451
-rw-------  1 apache apache     84 Mar 30 14:50 sess_ba280596f946d2b4d3c99e8ecd61fdea
-rw-------  1 apache apache    165 Mar 30 16:15 sess_c17923b1ccee50b8591670499f71344c
-rw-------  1 apache apache     84 Mar 30 14:46 sess_c55ef29782c67042ae7e94c7193ce496
-rw-------  1 apache apache     84 Mar 30 14:57 sess_c631864c2f50a253b8da46e11b9302a8
-rw-------  1 apache apache     84 Mar 30 14:48 sess_c6cf5b39cf9deff5336330e8911f406c
-rw-------  1 apache apache    171 Mar 30 21:28 sess_d74bac2551ef5a036ca9dc1d1f9cc50c
-rw-------  1 apache apache 291756 Mar 30 21:17 sess_ee09864b019aa54ce68dbc58024825c3
-rw-------  1 apache apache    165 Mar 31 08:46 sess_eea70e0104018921d6d548e352442cc5

**mikeh** · 31/03/09 09:39

Zo te zien ben je niet gehackt zoals ik eerder vermoedde. (het kan zeker geen kwaad om chkrootkit alsnog te draaien tho.)
Kan het zijn dat je ergens een loop in een php script hebt zitten ? (standaard cms of custom ?)
Had je tijdens de hoge load een "war" (euh, moest me ff inlezen over de clan termen) waarbij veel spelers betrokken waren?
Aangezien teamspeak + hlds/counterstrike ook wat mem & data vreten.
Heb je ook nog iets zoals ettv of andere steams draaien op je http ?
Heb je mrtg stats bij de hand ?

**blackdragon** · 31/03/09 09:51

jkhunter draait elke nacht en krijg ik logje van, heb niks raars gezien.

Er draaien idd 2 gameservers/ een stream/ en een ts server.
Alleen als de load omhoog knalt dan zie ik bij top, alleen nog bijna HTTPD proccessen, dus het is puur de http webserver.

als de load stijgt, stijgt dataverkeer ook.

**mikeh** · 31/03/09 09:59

Is dat alleen als je aan het steamen bent?
Mocht dit zo zijn dan zou je apache kunnen tunen

**blackdragon** · 31/03/09 10:03

stream staat altijd aan, en dit probleem heb ik sinds vandaag, stream is ook niet drukker dan normaal en is max 50 slots..
dus lijkt mij toch niet het probleem?

ik zal is even kijken naar de link die je gestuurd hebt dankje!

**mikeh** · 31/03/09 10:06

Daarmee is je probleem nog niet opgelost, wordt een bepaalde pagina veel bezocht/request/ververst waar veel plaatjes, video's of scripts achter draaien ? (zie access log van apache in /var/log )

**DiedX** · 31/03/09 10:13

ZenOSS heb jij ook geinstalleerd?

**blackdragon** · 31/03/09 10:18

stukje uit mn acces log:

Code:

127.0.0.1 - - [31/Mar/2009:08:19:31 +0200] "GET / HTTP/1.0" 200 318
84.19.184.189 - - [31/Mar/2009:08:21:03 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 458
127.0.0.1 - - [31/Mar/2009:08:24:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:08:29:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:08:34:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:08:39:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:08:44:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:08:49:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:08:54:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:08:59:31 +0200] "GET / HTTP/1.0" 200 318
84.19.184.189 - - [31/Mar/2009:09:00:02 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 458
127.0.0.1 - - [31/Mar/2009:09:04:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:09:09:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:09:14:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:09:19:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:09:24:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:09:29:31 +0200] "GET / HTTP/1.0" 200 318
127.0.0.1 - - [31/Mar/2009:09:34:31 +0200] "GET / HTTP/1.0" 200 318

daar bestaat zowat mn hele acceslog uit.

Ik heb idd zennOS geinstalleerd, alleen nog niet werkende gekregen, maar dit had ik 2 weken terug al geinstalleerd.

**Japje** · 31/03/09 10:47

Oorspronkelijk geplaatst door mikeh

Zo te zien ben je niet gehackt zoals ik eerder vermoedde

Als hij allemaal zooi onder root blijft draaien....

root 6470 0.0 0.3 36712 3704 ? Sl Mar17 0:08 ./sc_serv
root 9476 0.0 0.2 174144 2132 ? SNl Mar01 23:48 ./server_linux
root 25917 0.1 7.7 104292 79796 pts/4 Sl+ 07:48 0:08 ./hlds_i686 -game cstrike -autoupdate +maxpl
root 28434 0.1 10.2 131140 106232 pts/2 Sl+ Mar24 13:46 ./hlds_i686 -game cstrike -autoupdate +maxpl
root 29811 0.0 0.0 4488 972 pts/2 Ss+ Mar18 0:00 /bin/sh ./hlds_run -game cstrike -autoupdate
root 31781 0.0 0.1 4484 1168 pts/4 Ss+ Mar30 0:00 /bin/sh ./hlds_run -game cstrike -autoupdate

draai eens een tijdje top, of htop en kijk welke processes die load veroorzaken.

**blackdragon** · 31/03/09 11:12

"httpd" veroorzaakt de load

als de load stijgt, heb ik tig httpd processen

**Sorcer** · 31/03/09 11:13

Wellicht handig om HTOP te installeren en doormiddel van htop de processen na te lopen door welke gebruiker dit wellicht veroorzaakt wordt.

**Japje** · 31/03/09 11:15

mod_ruid of suPHP installeren om zo te zien welke user de scripts draait die de load veroorzaken?

**davhog** · 31/03/09 13:54

Oorspronkelijk geplaatst door Sorcer

Wellicht handig om HTOP te installeren en doormiddel van htop de processen na te lopen door welke gebruiker dit wellicht veroorzaakt wordt.

Met name de 's' toets (strace) van htop kan hierbij interessant zijn als je proces onder apache draait. Je kunt dan zien welke bestanden geopend worden en hierdoor het domein achterhalen.

Onderwerp Gereedschap

Toon

Onderwerp: hoge load, veel verkeer, httpd process

hoge load, veel verkeer, httpd process

Webhostingtalk.nl

Link met ons

Partners

Contact