Server unreachable

Musthafa

• December 19, 2016 03:04

I was not able to access my server via ssh nor whm but it just pings. I had to contact the service provider and needed a physical reboot. Now I am not able to find the reason. When I checked the top processes on the day in whm there are these three processes consumed more cpu. dovecot/imap /usr/bin/php /home/amerqavi/public_html/wp-admin/admin-ajax.php /usr/local/cpanel/3rdparty/bin/perl /usr/local/cpanel/bin/rebuild_sprites -cponly -quiet I checked almost all logs, couldn't find anything suspicious. What might be the reason. I have nagios monitoring enabled on the server. it didnt provided any warning other than normal

• 

  SysSachin

  • December 19, 2016 11:45

  I was not able to access my server via ssh nor whm

  
  May I know what error message you were getting while access SSH and WHM ? Also, Have you enabled cphulk brute force on your server ? If yes then might be there was cphulk brute force attack on your server.

  0
• 

  Musthafa

  • December 19, 2016 12:01

  I did not get any error message. It tried to load but failed after some time. Yes I have enabled the cphulk bruteforce on the server. How can I confirm if its a bruteforce attack. I think cphulk is to protect from bruteforce??

  0
• 

  SysSachin

  • December 19, 2016 12:22

  Hello, Try to grep cphulk logs in /var/log/messages file. Use below command.
  cat /var/log/messages | grep cphulk
  

  0
• 

  Musthafa

  • December 19, 2016 12:41

  Hi, It happened again just few minutes back and I had to reboot it again. There is no logs related to cphulk. The above command returns nothing. When I checked the top processes that ran today I found this, This came from nowhere. I killed all the processes from dovenull user today morning and restarted dovecot, but it came again. 11955 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login 11956 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login 11957 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login 11958 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login 11959 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login 11960 (config) /usr/libexec/dovecot/config /var/run/dovecot dovecot/config 11961 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login 11962 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login 11963 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login 11964 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login 11965 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login 11966 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login 11967 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login 11968 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login 11969 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login 11970 (pop3-login) /usr/libexec/dovecot/pop3-login /var/run/dovecot/login dovecot/pop3-login 11971 (imap-login) /usr/libexec/dovecot/imap-login /var/run/dovecot/login dovecot/imap-login

  0
• 

  Musthafa

  • December 19, 2016 12:53

  Hi, I got this error log in cphulkd_error.log [2016-12-19 06:08:53 -0500] info [cphulkd] 5315 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe [2016-12-19 06:08:53 -0500] info [cphulkd] 5316 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe [2016-12-19 06:08:54 -0500] info [cphulkd] 5384 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe [2016-12-19 06:08:54 -0500] info [cphulkd] 5385 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe [2016-12-19 06:09:13 -0500] info [cphulkd] 5317 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe [2016-12-19 06:09:13 -0500] info [cphulkd] 5386 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe [2016-12-19 06:09:13 -0500] info [cphulkd] 5387 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe [2016-12-19 06:09:18 -0500] info [cphulkd] 5435 The system encountered an error while processing a request: (XID 2vpw85) Broken pipe [2016-12-19 06:09:19 -0500] info [cphulkd] 5464 The system encountered an error while processing a request: (XID e2vpw8) Broken pipe

  0
• 

  cPanelMichael

  • December 19, 2016 16:27

  Hello, Do you notice any output to /var/log/messages or /var/log/dmesg just before the time at which the system stopped responding? Thank you.

  0
• 

  Musthafa

  • December 20, 2016 05:16

  Hi, Sorry for the late reply.

  Do you notice any output to /var/log/messages or /var/log/dmesg just before the time at which the system stopped responding

  
  Nothing unsual, But when I checked the accesslog of webserver, i found too much hits from a particular ip, seems to be a seo bot and its ip found in the blacklists. I blocked the ip. When I checked further, i found this 'bing.com/bingbot.htm' also hitting on the server frequently. Should I block all those ips?

  0
• 

  Musthafa

  • December 20, 2016 05:19

  And also I have this large number of /dovecot/pop3-login process from user 'dovenull' running in my server even after killing them all 27369 (Trace) (Kill) dovenull 0 0.00 0.08 dovecot/imap-login 27370 (Trace) (Kill) dovenull 0 0.00 0.08 dovecot/imap-login 27371 (Trace) (Kill) dovenull 0 0.00 0.08 dovecot/pop3-login

  0
• 

  cPanelMichael

  • December 20, 2016 17:27

  Hello @Musthafa, Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here and we will update this thread with the outcome. Thank you.

  0

Please sign in to leave a comment.