gkainz
Final Approach
a site I hang out on that's also focused on converting fuel to noise (dieselram) apparently got hacked today, I think. Here's the support email the admin sent to me, since I was the last one to smart off about the site going down last time - actually was a database error last time and I was able to help). Anyway, what do you think about this and where would you start?
Code:
A technician responded to your ticket with:
Hi,
Your account is utilizing excessive resources, causing a significant
degradation of services on the server. This is a shared environment and we
cannot allow one user to utilize a high percent of the resources on a server
as it affects all users adversely. Because of this, we were forced to disable
(and setting permissions to 0000 and the owner to root:root) your folder
“/home/diese3/public_html/forums” since the contained scripts threatened
the stability of our production server probably during a spike of load.
A detail of the usage problem is shown below:
Stats for 20 Jan 2011:
---------------------------------
CPU Usage - %6.75
MEM Usage - %0.98
Number of MySQL procs (average) - 0.26
Top Process %CPU 11.00 [php]
Top Process %CPU 10.00 /usr/php4/bin/php /home/diese3/public_html/forums/archive/index.php
Top Process %CPU 9.00 /usr/php4/bin/php /home/diese3/public_html/forums/cron.php
Our safe usage standards are:
for CPU: less than 2%
for RAM memory: less than 2%
for MySQL: less than 0.4%
Also, please note about:
diese3 620 2.1 0.3 26124 13936 ? S 08:56 0:26 /usr/php4/bin/php /home/diese3/public_html/forums/admincp/email.php
diese3 8002 0.6 0.0 10536 924 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy76-00024f-QT
diese3 8025 0.7 0.0 10532 1140 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy77-00024l-0a
diese3 8197 0.6 0.0 10532 1140 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy79-00026v-Gk
diese3 8215 0.6 0.0 10532 1144 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7A-00028E-UF
diese3 8375 0.7 0.0 10532 928 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7D-0002An-L6
diese3 8392 0.7 0.0 10532 1084 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7D-0002Ay-T2
diese3 8397 0.7 0.0 10540 940 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7D-0002BA-VJ
diese3 8410 0.7 0.0 10532 1080 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7E-0002BS-3l
diese3 8417 0.7 0.0 10532 1144 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7E-0002Ba-7I
diese3 8453 0.6 0.0 10536 1144 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7E-0002CA-IY
diese3 8463 0.8 0.0 10532 928 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7E-0002C2-GJ
diese3 8492 0.7 0.0 10532 1144 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7E-0002CS-PS
diese3 8531 0.7 0.0 10536 1156 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7F-0002D5-4z
diese3 8543 0.7 0.0 10536 1084 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7F-0002Da-Dw
diese3 8555 0.8 0.0 10532 924 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7F-0002Dw-Nr
diese3 8557 0.7 0.0 10532 1148 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7F-0002Dp-KX
diese3 8578 0.8 0.0 10536 1084 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7F-0002E6-Uk
diese3 8586 0.5 0.0 10536 932 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7G-0002EH-16
diese3 8614 0.8 0.0 10536 924 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7G-0002Ee-KZ
diese3 8657 0.8 0.0 10532 1084 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7G-0002Er-RP
diese3 8664 0.7 0.0 10532 1092 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7G-0002F0-UD
diese3 8690 0.7 0.0 10536 1092 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7H-0002Fz-JR
diese3 8705 0.8 0.0 10536 1152 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7H-0002G2-Qg
diese3 8709 0.8 0.0 10532 1140 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7H-0002G0-Mf
diese3 8719 0.8 0.0 10536 1152 ? D 09:16 0:00 /usr/sbin/exim -Mc 1Pfy7I-0002GQ-5k
[…]
diese3 16620 1.7 0.0 10536 1136 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH6-0004Jj-5E
diese3 16621 1.1 0.0 10532 928 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH6-0004Jx-L7
diese3 16632 1.2 0.0 10536 1076 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH6-0004Ju-E5
diese3 16634 4.7 0.3 25172 13160 ? S 09:26 0:00 /usr/php4/bin/php /home/diese3/public_html/forums/showthread.php
diese3 16642 0.5 0.0 10536 1148 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH6-0004K2-Nt
diese3 16656 4.1 0.0 10504 932 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH7-0004KO-Sy
diese3 16661 0.6 0.0 10532 1076 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH7-0004K6-43
diese3 16674 0.3 0.0 10536 1080 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH8-0004KR-0m
diese3 16678 0.8 0.0 10536 928 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH8-0004Kh-4t
diese3 16698 1.8 0.0 10532 1072 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH8-0004Kv-K0
diese3 16700 1.4 0.0 10532 1076 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH8-0004Km-C8
diese3 16703 0.6 0.0 10532 1136 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH8-0004Kq-FA
diese3 16705 3.8 0.0 10536 1136 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH8-0004Kt-Hi
diese3 16708 0.2 0.0 10532 1084 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH8-0004Ki-9p
diese3 16715 0.8 0.0 10532 1132 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH8-0004L8-Qz
diese3 16719 0.8 0.0 10536 920 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH8-0004L9-R1
diese3 16721 2.0 0.0 10532 916 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH8-0004LH-Ss
diese3 16723 0.8 0.0 10536 1144 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH8-0004LG-SY
diese3 16727 0.2 0.0 10540 932 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH9-0004LI-7i
diese3 16748 5.7 0.2 24044 12020 ? S 09:26 0:00 /usr/php4/bin/php /home/diese3/public_html/forums/index.php
diese3 16767 0.0 0.0 10536 928 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH9-0004Lz-UO
diese3 16771 0.3 0.0 10532 1076 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH9-0004Lu-Qu
diese3 16786 3.5 0.0 10532 920 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyH9-0004Ly-W0
diese3 16795 2.0 0.0 10532 1080 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyHB-0004MS-FG
diese3 16796 1.5 0.0 10532 1136 ? D 09:26 0:00 /usr/sbin/exim -Mc 1PfyHB-0004MW-JA
[…]
Your account was used for sending am impressive number of e-mail messages / hour. If this behavior is
achieved without your knowledge your account is probably exploited. We were unable to determine the
exact script that was used to send the e-mails because the server was
alerting with +5000 processes and +800 load and we had to take the action of suspending your account immediately.
We also renamed your following script:
home/diese3/publi_html/forums/admincp/email.php and we set the permissions for it to 0000.
Please take the time to audit your account’s files and restore them if
possible from a recent, un-affected backup. Then you will need to upgrade / redesign the scripts
in order to do not let such an event to occur again.
Currently, your site is not suitable for a shared hosting environment.
Here are the most common causes for high usage:
- Your scripts are not upgraded: you may have not upgraded your scripts
yet, as older versions of the scripts can have bugs in them that would cause
high CPU and Memory usage.
- Your scripts are configured incorrectly: you might need to check your
scripts` configuration for any tweaks of settings available that might
influence the usage, as a single wrong setting might do a whole lot of harm.
- Your add-ons are misbehaving: some add-ons might cause high load
because they were badly written. You might consider disabling them or
finding alternatives for some add-ons. In the usage mitigation process you
may want to disable all your add-ons that do not affect the very basic
functionality of your website(scheduled back-ups, fancy statistics, additional
functions etc). After your account’s usage was stabilized we may begin
enabling them one by one and identify the problematic one.
- You might need caching: a caching plugin will help in most cases as it
will serve pre-generated html pages instead of using the resource intensive
PHP scripts to generate the same page over and over again for different
visitors of the site.(for WP – WP super cache).
- Bots are flooding your site: your pages might have been found by spam
bots that try continuously to send messages via your contact form, or add
various comments to your items and such, depending on your site's
configuration. An implementation of a CAPTCHA system would be useful to
keep bots out of your pages, while checking for the highly accessed
webpages using the tools provided by CPanel.
- Robots are indexing your website, you may want to use a robots.txt file
in order to manage this process. More information about it at: http://www.robotstxt.org/ .
- You should, also, audit your crons if any and optimize / (re)set them accordingly to reduce the usage
- Your account might be exploited: using a badly written extension /
plug-in or an old / not recently update CMS(Content Management
System)(like Joomla, WP etc), the hackers or the script-kiddies can find their
way to your files(and system’s resources) endangering the entire shared
environment.
We value you as a customer and want to work with you toward a solution
that is mutually beneficial. Please let us know as quickly as possible how you
would like to proceed.
We appreciate your quick attention to this important matter. If you have
any questions about scripts you are running, please let us know so we may
provide suggestions on upgrading and/or securing them. You may reply to
this ticket, or, you may call us directly at ...