Vesta Control Panel - Forum

Posted: **Sat Mar 07, 2015 10:35 am**

Hello,
I am under attack for 10 hours.
Since I am new to linux I don't know what to and where to begin.

I will post some graphic for you guys to direct me to the issue and take necessary steps.

This output shows weird traffic between me and google dns servers. It never stops. Is my server used to DDOS Google DNS?

Here you will see, pyhton is causing %100 CPU load (maybe due to fail2ban usage?)

Here's my digitalocean graphics, the server went crazy!!

And last, here's my email usage, I think my mail server is being used for spamming but I am sure it is not my clients.

What can I do? How can I investigate this issue? How can I limit outgoing email per hour? like 100 mails per hour.

Posted: **Sat Mar 07, 2015 4:40 pm**

We need CSF, I have a vps with CSF installed, the server is up for 10 months, not even a restart... Admins doesn't recommend vesta with csf..
does any of you use (still) vesta with csf firewall?

Posted: **Sat Mar 07, 2015 7:35 pm**

I installed CSF on vesta and blocked outgoing port 80 and the 20 mb/s outgoing connections stopped.
my server is being used to attack other wordpress sites I guess.

cpu is still high, but at least I managed my server to stop attacking/flooding other websites.

here s what top -H -p 14941 returns

Code: Select all

Threads: 501 total,   4 running, 497 sleeping,   0 stopped,   0 zombie
%Cpu(s): 49.7 us, 30.3 sy,  0.0 ni, 18.7 id,  0.9 wa,  0.0 hi,  0.5 si,  0.0 s
KiB Mem:   4061564 total,  3870052 used,   191512 free,   311700 buffers
KiB Swap:  4095996 total,       80 used,  4095916 free,   732256 cached

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
15361 admin     20   0 4480m 352m 4700 R  28.7  8.9   6:27.91 python
15427 admin     20   0 4480m 352m 4700 R  28.1  8.9   7:36.01 python
15345 admin     20   0 4480m 352m 4700 R  27.4  8.9   5:18.05 python
15354 admin     20   0 4480m 352m 4700 R  27.4  8.9   8:39.31 python
15026 admin     20   0 4480m 352m 4700 S   0.7  8.9   0:00.95 python
15303 admin     20   0 4480m 352m 4700 S   0.7  8.9   0:03.05 python
15112 admin     20   0 4480m 352m 4700 S   0.3  8.9   0:02.46 python
15267 admin     20   0 4480m 352m 4700 S   0.3  8.9   0:02.81 python
15272 admin     20   0 4480m 352m 4700 S   0.3  8.9   0:02.67 python
15374 admin     20   0 4480m 352m 4700 S   0.3  8.9   0:02.87 python
15394 admin     20   0 4480m 352m 4700 S   0.3  8.9   0:02.36 python
15430 admin     20   0 4480m 352m 4700 S   0.3  8.9   0:02.72 python
14941 admin     20   0 4480m 352m 4700 S   0.0  8.9   0:06.51 python
14948 admin     20   0 4480m 352m 4700 S   0.0  8.9   0:02.46 python
14949 admin     20   0 4480m 352m 4700 S   0.0  8.9   0:02.56 python
14950 admin     20   0 4480m 352m 4700 S   0.0  8.9   0:01.35 python
14951 admin     20   0 4480m 352m 4700 S   0.0  8.9   0:02.21 python
14952 admin     20   0 4480m 352m 4700 S   0.0  8.9   0:02.82 python

python is causing excessive cpu load, whatever my server is infected with, it has got to do something with python lol

Posted: **Sat Mar 07, 2015 8:52 pm**

ok brothers and sisters, CSF did the job, mofo gave up for this time. I think my server is compromised, but at least it is working.

Posted: **Mon Mar 09, 2015 1:32 pm**

Hello, you can try to investigate that python processes using lsof:

Code: Select all

lsof -np PID

Check internet connections:

Code: Select all

netstat -naptu

Install rkhunter and check rootkits

Code: Select all

rkhunter --update; rkhunter --check

seatch new php files (10 days old in example)

Code: Select all

find /home/admin -type f -name "*.php" -mtime -10 -ls

Check temp folders /tmp, /var/tmp, /dev/shm and cron tasks

Code: Select all

crontab -l -u admin

Posted: **Tue Mar 10, 2015 7:17 pm**

Deeryo wrote:Hello, you can try to investigate that python processes using lsof:
Code: Select all
lsof -np PID
Check internet connections:
Code: Select all
netstat -naptu
Install rkhunter and check rootkits
Code: Select all
rkhunter --update; rkhunter --check
seatch new php files (10 days old in example)
Code: Select all
find /home/admin -type f -name "*.php" -mtime -10 -ls
Check temp folders /tmp, /var/tmp, /dev/shm and cron tasks
Code: Select all
crontab -l -u admin

these are great information. not just for this case, for my future possible problems. I kindly thank you. unfortunately I gave up on that server. the biggest issue is, people are using nulled scripts and there is nothing I can do about it.

In vesta, once somebody manages to upload a shell script, whole server is in his hands. not enough measures has been taken in terms of hosting security.

vesta may be great, but not yet a dependable product for linux newbies like me.

now I am switched to cpanel, things may be slower and I got to pay $14 / month but at last I will find peace.

Posted: **Tue Mar 10, 2015 8:12 pm**

You can use apache "basedir" template to use php open_basedir protection. Also modify /etc/php.ini and set disable_functions option. Examples from google:
http://www.databaseskill.com/3343256/
or
http://lowendtalk.com/discussion/37009/ ... ed-hosting
or

Code: Select all

disable_functions=eval,exec,shell_exec,system,passthru,popen,dl,set_time_limit,symlink,uname,proc_open,proc_nice,proc_get_status,proc_close,proc_terminate,posix_mkfifo,socket_listen,socket_create,socket_create_pair,socket_create_listen,socket_connect,pfsockopen,disk_free_space,disk_total_space,socket_bind,socket_accept,socket_read,stream_socket_client,stream_socket_server,stream_select,stream_socket_accept,stream_socket_recvfrom,stream_socket_sendto

Posted: **Tue Mar 10, 2015 8:55 pm**

Deeryo wrote:You can use apache "basedir" template to use php open_basedir protection. Also modify /etc/php.ini and set disable_functions option. Examples from google:
http://www.databaseskill.com/3343256/
or
http://lowendtalk.com/discussion/37009/ ... ed-hosting
or
Code: Select all
disable_functions=eval,exec,shell_exec,system,passthru,popen,dl,set_time_limit,symlink,uname,proc_open,proc_nice,proc_get_status,proc_close,proc_terminate,posix_mkfifo,socket_listen,socket_create,socket_create_pair,socket_create_listen,socket_connect,pfsockopen,disk_free_space,disk_total_space,socket_bind,socket_accept,socket_read,stream_socket_client,stream_socket_server,stream_select,stream_socket_accept,stream_socket_recvfrom,stream_socket_sendto

thanks once again.

but if I have to modify these, then what is the purpose of using hosting panel..

even setting a restriction on mails sent by domain per hour requires serious exim skills and heavy googling..

and these guys are working on adapting "file manager" not serious issues...

my main job is doing seo and developing wordpress websites, but since I am with vesta, I feel depressed, I cannot sleep. for 3 days things are normal, but then all of a sudden everything can go crazy...

Vesta Control Panel - Forum

I am under ATTACK

I am under ATTACK

Re: I am under ATTACK

Re: I am under ATTACK

Re: I am under ATTACK

Re: I am under ATTACK

Re: I am under ATTACK

Re: I am under ATTACK

Re: I am under ATTACK