[Phpwm] Problems with live Silverstripe website (httpd spawingproceses, high CPU)
David Goodwin
david at codepoets.co.uk
Thu Aug 19 11:46:09 UTC 2010
On Thu, 2010-08-19 at 10:08 +0100, Pete Graham wrote:
> Hi Phil,
>
> It did cross my mind that the high server load could be caused by
> someone trying to exploit the site. However from analysing the logs it
> appears that their is no naughtiness afoot that I can see.
>
> Pete
Check /tmp, /var/tmp for random files that shouldn't be there; may be
'hidden' so do 'ls -al'.
grep -ri through your code base for eval / base64_decode / gzinflate ...
Are there any unexplained processes running (e.g. 'perl')
Check .bash_history's for accounts that can login...
Check last / lastlog
Install / run chkrootkit / rkhunter or similar.
Anything reported in 'dmesg' (e.g I think segfaults may imply someone's
trying to exploit a stack overflow or whatever)
Alternatively, when it's under high load, tcpdump the traffic out; look
at netstat - what connections are open to where ? Are there any new
'services' listening (netstat --tcp -lpn).
Don't let Apache make outbound port 80 requests.... if it doesn't need
to.
Install munin / munin-node and see if having a graphical view of what
the server is up to helps... if you don't already know.
And so on...
David.
More information about the Phpwm
mailing list