Topic: clamscan consumes >80% of cpu

[mophilly]

Recently, I began to hear of email to our domain being bounced. After a lengthy bit of research it appears our SME server handling email and a dozen or so web sites was overloaded to the point where smtp connections would time out. Yesterday it appeared to be the httpd processes, which were hitting 98% of cpu time the top output. Today, in the first hours of our work day, it is the clamscan process.

The system is an older box, 2.2 GHz, 4GB RAM, 80GB SSD x 2.

I ran clamdtop, which reported no activity at all. I would like to take a look at the clamav config to see if anything needs a bit of housekeeping.

Where/when is clamscan invoked and/or configured in SME 8.2?

[Gary Douglas]

check your /var/log/httpd/access_log at about the time.

Recently I have had a few instances of ddos type web requests for i.e. "POST /xmlrpc.php HTTP/1.0" 500 251 ",  bringing my servers over 100% CPU and becoming unresponsive.

If you can get onto the shell, stop httpd-e-smith then start investigating.
Add the offenders ip/subnet to the firewall using; https://wiki.contribs.org/Firewall#Block_incoming_IP_address

[mophilly]

Thank you, Gary Douglas. I slapped my forehead when I saw your suggestion. I should have thought of that before posting!

Checking the log did reveal an attack from a single machine in Brazil. The attack was on a site using WordPress, and it ceased so the system is back to normal.

The firewall contrib is useful and I will employ it if/when needed in the future. I am using fail2ban but I don't have it configured quite right to capture attacks on WordPress sites. I need to study this a bit more.

[brianr]

I run 19 Wordpress sites (although not on an SMEServer).

Some of them I took over after being compromised due to not being kept up to date. Consequently quite a few are on the "hot" lists for the bad guys. They are hit all the time.

I use:

https://www.wordfence.com/

Which seems to be fabulous at keeping the bad guys out and keeping the load down on the hosting server.  Highly recommended.

[mophilly]

Yes, brianr, wordfence is very good. The company is aggressive with updates. We use their services. That said, this particular attack seemed to get around that, and I have to admit that the attack alone may not be the root problem.

[CharlieBrady]

Where/when is clamscan invoked and/or configured in SME 8.2?

Your question seems to have been missed by the other responders.

clamscan is invoked via cron job. You can find the details of the cron job by doing:

grep -r clam /etc/cron*

[mophilly]

Thank you, Charlie. Just what I was looking for.