Topic: High memory and cpu usage. Probably hacking.

[sander]

Hello

Just noticed:  last night about 00:00 I had CPU utilization 98.14%, Load @ 3.730 and swap usage of 41GB. Yes you read it right GB. Yhis lasted from 00:00 to about 01:00AM

The whole time messages log file has lines shown below. Only the IP address changes.
Jan 16 00:17:06 server kernel: denylog:IN=eth1 OUT= MAC=00:02:b3:89:2d:77:00:07:ec:50:74:08:08:00 SRC=172.183.243.159 DST=**.**.**.** LEN=53 TOS=0x00 PREC=0x00 TTL=117 ID=57673 PROTO=UDP SPT=9030 DPT=11786 LEN=33
//my external ip replaced with *

Next,
Jan 16 01:36:49 server kernel: Out of Memory: Killed process 10661 (httpd).

Server started to run low on swap, and started killing processes (httpd, mysqld, dnscache, httpd-admin, clamscan).

To make matters worse,

Jan 16 02:56:18 server sshd[31040]: Illegal user test from 219.240.36.89
Jan 16 02:56:24 server sshd[31040]: Failed password for illegal user test from 219.240.36.89 port 49571 ssh2
Jan 16 02:56:27 server sshd[31042]: Illegal user guest from 219.240.36.89
Jan 16 02:56:27 server sshd[31042]: Failed password for illegal user guest from 219.240.36.89 port 49802 ssh2
Jan 16 02:56:30 server sshd[31044]: Failed password for admin from 219.240.36.89 port 49866 ssh2
Jan 16 02:56:33 server sshd[31046]: Failed password for admin from 219.240.36.89 port 49931 ssh2
Jan 16 02:56:36 server sshd[31048]: Illegal user user from 219.240.36.89
Jan 16 02:56:36 server sshd[31048]: Failed password for illegal user user from 219.240.36.89 port 49989 ssh2
Jan 16 02:56:39 server sshd[31050]: Failed password for root from 219.240.36.89 port 50052 ssh2
Jan 16 02:56:41 server sshd[31052]: Failed password for root from 219.240.36.89 port 50101 ssh2
Jan 16 02:56:44 server sshd[31054]: Failed password for root from 219.240.36.89 port 50160 ssh2
Jan 16 02:56:47 server sshd[31056]: Illegal user test from 219.240.36.89
Jan 16 02:56:47 server sshd[31056]: Failed password for illegal user test from 219.240.36.89 port 50214 ssh2

With this basicly calmed down. Denylog messages kept coming, but at a very slow rate (5 lines in an hour).

Before they came at an alarming rate. Internet connection had been locked up since 5pm till the end at 3am.

Anyone can help?
I don't mind posting more extracts of log files etc.
Hoping for a fast reply.
Sander

PS! just started again ( while I was writing this message). He is sending random user names.
Jan 16 19:07:14 server sshd[14079]: Illegal user jordan from 80.219.133.179
Jan 16 19:07:16 server sshd[14079]: Failed password for illegal user jordan from 80.219.133.179 port 13609 ssh2
Jan 16 19:07:16 server sshd[14081]: Illegal user michael from 80.219.133.179
Jan 16 19:07:16 server sshd[14081]: Failed password for illegal user michael from 80.219.133.179 port 13655 ssh2
Jan 16 19:07:22 server sshd[14083]: Illegal user nicole from 80.219.133.179
Jan 16 19:07:22 server sshd[14083]: Failed password for illegal user nicole from 80.219.133.179 port 13789 ssh2
Jan 16 19:07:23 server sshd[14085]: Illegal user daniel from 80.219.133.179
Jan 16 19:07:23 server sshd[14085]: Failed password for illegal user daniel from 80.219.133.179 port 13802 ssh2
Jan 16 19:07:25 server sshd[14087]: Illegal user andrew from 80.219.133.179
Jan 16 19:07:25 server sshd[14087]: Failed password for illegal user andrew from 80.219.133.179 port 13827 ssh2
Jan 16 19:07:26 server sshd[14089]: Illegal user magic from 80.219.133.179
Jan 16 19:07:26 server sshd[14089]: Failed password for illegal user magic from 80.219.133.179 port 13856 ssh2
Jan 16 19:07:27 server sshd[14091]: Illegal user lion from 80.219.133.179
Jan 16 19:07:27 server sshd[14091]: Failed password for illegal user lion from 80.219.133.179 port 13885 ssh2
Jan 16 19:07:34 server sshd[14093]: Illegal user david from 80.219.133.179
Jan 16 19:07:34 server sshd[14093]: Failed password for illegal user david from 80.219.133.179 port 14011 ssh2
Jan 16 19:07:35 server sshd[14095]: Illegal user jason from 80.219.133.179
Jan 16 19:07:35 server sshd[14095]: Failed password for illegal user jason from 80.219.133.179 port 14042 ssh2
Jan 16 19:07:36 server sshd[14097]: Illegal user carmen from 80.219.133.179

[Normando]

Try "top" command and see what process increase your CPU usage. Then kill the pid of this process.
If you think found the process that increase cpu usage, then find into /etc/rc.d/* the script that run this process. Also into cron dir and crontab
I hope this help you

[raem]

sander

> Out of Memory: Killed process 10661 (httpd).

So you should add more RAM or disable some services you are running. If your swap usage is high then that is telling you to add more RAM.
Spam filtering is memory & processor intensive and so is virus scanning. The amount of RAM you need depends on your usage and traffic levels. How much do you have ?
Remember Linux will use all your RAM, that's what it's designed to do. There have been lots of posts about this, so SEARCH !


> Jan 16 02:56:18 server sshd[31040]: Illegal user
> test from 219.240.36.89
> Jan 16 02:56:24 server sshd[31040]: Failed
> password for illegal user test from 219.240.36.89 port 49571 ssh2

This has also been mentioned quite a few times before, so SEARCH !
These are simply attempts to log in via ssh as you have that service enabled for external access.
You have a few options here.
Put up with it but make sure your passwords are strong,
disable ssh,
set ssh to allow access for local networks only & connect via VPN then ssh,
turn off ssh using standard passwords & configure your server to use public/private keys, there is a good HOWTO here, SEARCH.

[raem]

sander

A search on
denylog:IN=eth1 OUT= MAC

found

http://forums.contribs.org/index.php?topic=24985.0