LOAD WARNING Question

[bigdigillc]

Hey guys,

I consistently get load warnings from my slave server in the middle of the night from about 12am to 4am every 5 minutes. Being in the middle of the night makes me think that it could be penetration attempts (or successes).  I only use this server as a MySQL server. Does anyone have any advice or a way I can see what is triggering the load warnings?

[MRatWork]

Possible wrong detect for mysql service. Original Kloxo/Kloxo-MR 6.5.0 detecting port 553 for mysql service but possible wrong because mysql running via socket.

Solution, update to 7.0.0 or remove 'mysql' for 'service list' in panel.

[bigdigillc]

I'm not sure I understand. Don't I need MySQL? It's the only service I'm using on that server. I use the Master for web and mail.

[bigdigillc]

Also, for what it is worth during the times I can hardly get into the admin or even ssh. Everything just times out.

[MRatWork]

I am wrong about "'service list' in panel." but go to watchdog and click mysql.

[bigdigillc]

ok, but something is keeping from being able to access the server when it is receiving the load warnings. I can't access the admin or SSH until they are over.

[bigdigillc]

I wanted to cirecle back to this as I have been looking through my servers quite a bit. I have noticed that every site on a server has been compromised and has 3 directories added with links to malicious sites. I have also noticed that many of the sites are now blocked by google. It appears that they have successfully uploaded a shell. Is there anyway to determine how they were able to get in?

[MRatWork]

Try using maildet to find out 'bad' php code.

[chrisf]

Install my sendmail wrapper, limit the amount of outgoing php mail to 50 or so an hour.  You can normally catch a problem within an hour as it sends an over report if you want.  It also lets you know the working directory of the script sending mail.

[bigdigillc]

Chris, Could you explain a little more please. Every site on one server is being hacked and the other one is now constantly sending load warnings. Furthermore, the IP addresses they are on are now blacklisted by several spam servers. How can I secure the servers?

[bigdigillc]

Also, I have 3 servers with Kloxo and at least two of them get this alert from Maldet.

malware detect scan report for bighost2.bigdigi.net:
SCAN ID: 122714-1912.20336
TIME: Dec 27 19:28:57 -0600
PATH: /home
TOTAL FILES: 226071
TOTAL HITS: 1
TOTAL CLEANED: 1

CLEANED & RESTORED FILES:
/home/kloxo/httpd/installapp/gbook/gbook15.zip

FILE HIT LIST:
{HEX}gzbase64.inject.unclassed.15 : /home/kloxo/httpd/installapp/gbook/gbook15.zip => /usr/local/maldetect/quarantine/gbook15.zip.12680

[MRatWork]

Hi, don't use InstallApp because apps too old.

[bigdigillc]

I don't use it. Should I remove it completely? How do I remove it?

[MRatWork]

Rename or delete '/home/kloxo/httpd/installapp' dir.

[bigdigillc]

Go it, Thanks. Is there anyway to monitor which sites or clients are causing the load warnings?