XFileSharing Pro - Unusual high load on server

Message
Author
oldman
Posts: 17
Joined: Oct 20, 2012 2:40 pm

Unusual high load on server

#1 Postby oldman » Jan 15, 2016 12:14 am

Hi guys,

Out of the blue I'm getting extremely high load on my server every hour.

[2016-01-14 23:33:21] Load average (324.51) is higher than maximum limit of 20

I have handled double the current traffic and more than 3 times the downloads without any issue so I was wondering if it is possible this is an attack to bring my site down.

The script causing the downtime is index_dl.cgi. i understand this is a core function but as mentioned, my server has handled more traffic without any problems.

Your assistance is much appreciated. thanks!

ufkabakan
Posts: 332
Joined: Apr 13, 2011 9:37 pm

#2 Postby ufkabakan » Jan 15, 2016 1:29 pm

Check your HTTP Logs, check your "netstat" connection. unusual DDOS connection mostly came from China and dedicated based IP'si.

Normally 1 real downloader open 1-5 connections and after few seconds stay with 1 index_dl.cgi connections.

If you upload last 5000 connection on Apache HTTP log to pastebin similar sites, someone (maybe Im) check it for you.

Another info, i suggest to use "ExtendedStatus On" for real time Apache data.
https://mediatemple.net/community/produ ... -my-server

oldman
Posts: 17
Joined: Oct 20, 2012 2:40 pm

#3 Postby oldman » Jan 15, 2016 2:31 pm

thanks! i will try out some of your advices first.

oldman
Posts: 17
Joined: Oct 20, 2012 2:40 pm

#4 Postby oldman » Jan 15, 2016 3:22 pm

ri Jan 15 06:32:45 2016] [error] [client 114.111.167.239] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine AUTOLOAD redefined at /usr/lib64/perl5/POSIX.pm line 38., referer: https://medium.com/
[Fri Jan 15 06:32:45 2016] [error] [client 114.111.167.239] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine DESTROY redefined at /usr/lib64/perl5/POSIX.pm line 73., referer: https://medium.com/
[Fri Jan 15 06:32:45 2016] [error] [client 190.202.82.238] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine import redefined at /usr/lib64/perl5/POSIX.pm line 24., referer: https://twitter.com/
[Fri Jan 15 06:32:45 2016] [error] [client 190.202.82.238] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine croak redefined at /usr/lib64/perl5/POSIX.pm line 32., referer: https://twitter.com/
[Fri Jan 15 06:32:45 2016] [error] [client 190.202.82.238] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine AUTOLOAD redefined at /usr/lib64/perl5/POSIX.pm line 38., referer: https://twitter.com/
[Fri Jan 15 06:32:45 2016] [error] [client 190.202.82.238] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine DESTROY redefined at /usr/lib64/perl5/POSIX.pm line 73., referer: https://twitter.com/
[Fri Jan 15 06:32:45 2016] [error] [client 51.255.33.52] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine import redefined at /usr/lib64/perl5/POSIX.pm line 24., referer: http://search.aol.com/aol/webhome
[Fri Jan 15 06:32:45 2016] [error] [client 58.20.184.187] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine import redefined at /usr/lib64/perl5/POSIX.pm line 24., referer: https://search.yahoo.com/
[Fri Jan 15 06:32:45 2016] [error] [client 51.255.33.52] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine croak redefined at /usr/lib64/perl5/POSIX.pm line 32., referer: http://search.aol.com/aol/webhome
[Fri Jan 15 06:32:45 2016] [error] [client 58.20.184.187] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine croak redefined at /usr/lib64/perl5/POSIX.pm line 32., referer: https://search.yahoo.com/
[Fri Jan 15 06:32:45 2016] [error] [client 51.255.33.52] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine AUTOLOAD redefined at /usr/lib64/perl5/POSIX.pm line 38., referer: http://search.aol.com/aol/webhome
[Fri Jan 15 06:32:45 2016] [error] [client 58.20.184.187] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine AUTOLOAD redefined at /usr/lib64/perl5/POSIX.pm line 38., referer: https://search.yahoo.com/
[Fri Jan 15 06:32:45 2016] [error] [client 51.255.33.52] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine DESTROY redefined at /usr/lib64/perl5/POSIX.pm line 73., referer: http://search.aol.com/aol/webhome
[Fri Jan 15 06:32:45 2016] [error] [client 58.20.184.187] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine DESTROY redefined at /usr/lib64/perl5/POSIX.pm line 73., referer: https://search.yahoo.com/
[Fri Jan 15 06:32:45 2016] [error] [client 122.96.59.104] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine croak redefined at /usr/lib64/perl5/POSIX.pm line 32., referer: http://search.aol.com/aol/webhome
[Fri Jan 15 06:32:45 2016] [error] [client 122.96.59.104] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine AUTOLOAD redefined at /usr/lib64/perl5/POSIX.pm line 38., referer: http://search.aol.com/aol/webhome
[Fri Jan 15 06:32:45 2016] [error] [client 122.96.59.104] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine DESTROY redefined at /usr/lib64/perl5/POSIX.pm line 73., referer: http://search.aol.com/aol/webhome
[Fri Jan 15 06:32:45 2016] [error] [client 176.112.247.82] [Fri Jan 15 06:32:45 2016] index_dl.cgi: Subroutine import redefined at /usr/lib64/perl5/POSIX.pm line 24., referer: http://secret.com/

does this mean i am getting DDOSed?

ufkabakan
Posts: 332
Joined: Apr 13, 2011 9:37 pm

#5 Postby ufkabakan » Jan 16, 2016 1:22 am

Yes, This IPs from China or Datacenter based.

However if you share your bigger HTTP ACCESS logs on pastebin.com, maybe give some suggestions.

You can remove your domain name on logs for your privacy.

Manders
Posts: 19
Joined: Mar 27, 2014 10:04 pm

#6 Postby Manders » Feb 23, 2016 4:31 pm

If it spikes each hour it is probably a scheduled process rather than an 'attack'.

If you are on a dedicated server install CSF and it will send you an email when processes are high and give you the reason - CSF will also help with security on your server too!