what is this processing

[shamcs]

Hye linux expert..

i have redhat server os and running a web site there...and the server is always use cpu processing 100% ..and because of that i need to restart the server..

so my question is...i have capture this picture..anyone can tell me what exactly this process is..is it my server is under attack by ddos..??

(See attachment please..i cant post url because just register in this forum..)

[Irithori]

These pictures have no valueable information.

Is this machine swapping,
has it heavy IO,
are the CPUs maxed out in userspace or kernelspace?

[shamcs]

Is this machine swapping,
NO

has it heavy IO,
YES, but for curtain time only

are the CPUs maxed out in userspace or kernelspace?
it is in kernel space...and sometine cause : journal commit I/O error...


actually this server has been attack once by unknown person..

do you know, what is the process that call "sh and the status is Zombie" in picture "page12.png"

[shamcs]

This is full picture of screen shoot

[Irithori]

There is still nothing to see

Do you maybe have rrd graphs of the load, io, net of that box?

Is the crash happening always at the same time (this would point to a faulty cronjob)

And as you say you were attacked:
Did you investigate the error logs and access logs of apache from the point in time of the attack?

[shamcs]

There is still nothing to see

Do you maybe have rrd graphs of the load, io, net of that box?

Is the crash happening always at the same time (this would point to a faulty cronjob)

And as you say you were attacked:
Did you investigate the error logs and access logs of apache from the point in time of the attack?

actually this server is install with redhat server edition 5.1 ..

and additional software install is mysql server..

for the website we are using product from liferay and just run it....

for this situation..it is impossible for the server to have 100 cpu usage for a long time and then cause a I/O crash..

i have checked at the apache log and there is only have crash report ...

from last atack, the hacker actually use this server as zombie and do scanning port to other server client..
we know this thing because of the other client report to us...

can someone suggest to me to prevent intruders from using this server to hack another server..??how to scan rootkit in this linux server..??

[Irithori]

Two things
1) journal commit I/O error...
This indicates a hardware error.
Check your controller and harddiscs

2) if you already *know*, that this machine has been rooted, then
- take it off the net asap
- investigate, how the intruder got in and what he did. Logs, chkrootkit, rkhunter might help, as well as investigating your own code (if there is such)
- reinstall it from scratch.

No sane way around this.

[shamcs]

Two things
1) journal commit I/O error...
This indicates a hardware error.
Check your controller and harddiscs

2) if you already *know*, that this machine has been rooted, then
- take it off the net asap
- investigate, how the intruder got in and what he did. Logs, chkrootkit, rkhunter might help, as well as investigating your own code (if there is such)
- reinstall it from scratch.

No sane way around this.

Thanks for the solution..

for the first solution..i thing it has been done because the server HDD upgrade process has successfully done..

to take it off from net asap i think i need to send "init 6" cammand asap..lol..because the server is in VM and it is monitored by other people..

Irithori, can i ask u a question..if u can take over of one server..what do you will do with that server..??

[Irithori]

I wouldnt take over servers, that dont belong to me :P

But generally, servers get root´ed to have them part of bot nets, as spam bots, for illegal downloads, to attack other servers, etc, etc.

All of these points justify to take down a box *immediately* after discovering the fact that it got rooted.
And, despite quite unpleasant consequences, your business and especially the legal team should be interested in taking that box off the net as well.

[shamcs]

.. Thanks..

i have scan with rkhunter..and get this warning..can u explain what actually this thing has been replace..since im not really expert in linux..

Thanks if u can help me..

[18:00:36] /sbin/ifdown [ Warning ]
[18:00:36] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[18:00:36] /sbin/ifup [ Warning ]
[18:00:36] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[18:00:32] /usr/bin/whatis [ Warning ]
[18:00:32] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[18:00:17] /usr/bin/ldd [ Warning ]
[18:00:17] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[18:00:14] /usr/bin/GET [ Warning ]
[18:00:14] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[18:00:14] /usr/bin/groups [ Warning ]
[18:00:15] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
:
:

:
:
Checking for hidden files and directories [ Warning ]
[18:19:55] Warning: Hidden directory found: /etc/.java
[18:19:55] Warning: Hidden directory found: /dev/.udev
[18:19:55] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression

:
:
Checking version of Apache [ Warning ]
[18:20:27] Warning: Application 'httpd', version '2.2.3', is out of date, and possibly a security risk.
[18:20:27] Info: Application 'named' not found.
[18:20:27] Checking version of OpenSSL [ Warning ]
[18:20:27] Warning: Application 'openssl', version '0.9.8b', is out of date, and possibly a security risk.
[18:20:28] Checking version of PHP [ Warning ]
[18:20:28] Warning: Application 'php', version '5.1.6', is out of date, and possibly a security risk.
Checking version of OpenSSH [ Warning ]
[18:20:29] Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.