[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] [RaQ4] Strange behaviour: excess hits, corrupted files, duplicate mails etc.

Subject: Re: [cobalt-users] [RaQ4] Strange behaviour: excess hits, corrupted files, duplicate mails etc.
From: Greg Hewitt-Long <cobaltusers@xxxxxxxxxxxxxxxxxxx>
Date: Mon Jun 23 13:18:00 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

>Assistance needed:
>
>We are experiencing strange behaviour on a virtual site running on our
>Cobalt RaQ4. Please see if you can figure out what could be wrong? Also
>please see if you can figure out whether the user could have caused this or
>if its a system issue.
>
>A customer running a virtual site on our RaQ4 reported the following
>problems:
>
>- - -
>
>1. There is a sudden high increase of hits in the statistics (Webalizer) of
>the virtual site. A average usage site has 4+ million hits in a single day
>coming from two DSL addresses both belonging to people maintaining the site.


??  4 million hits a day from the webmasters themselves??  WTF?

>2. During the same day the disk usage of the site had multiplied from 300Mb
>to 800Mb with no apparent reason. Disk quota had been radically exceeded
>without massive uploads by users or such normal causes.


see the script

>
>3. Some website files had lost their rights, they had no longer any group or
>world rights. The user claims not to have altered rights.


Permissions don't just disappear - something changes them - either a backup/restore operation as the wrong user, or someone (either a site admin, or a root user) has altered them.

>4. Several files (jpg) were corrupted and were no longer displayed correctly
>in browsers. They had been uploaded normally via FTP.


If the files used to work, and now don't, then they have been altered - possibly by a rogue process, or some script/binary that ought not to have touched them - perhaps some script kiddy on your machine?

>
>5. Recipients of emails have received serveral copies of emails. (We dont
>have raports that any other virtual site on the machine would have such
>issues.)
>
>- - -
>
>There are currently approximately 50 virtual sites on the machine. It has
>maximum memory (512mb). We have received warnings of high memory use and
>server load before, but not continuously. What could be wrong? What should
>we look into?


Sounds like you might have been compromised....

run a top and see what is grabbing all the RAM/cpu...

Get a chkroot kit and run it.

cd /home/sites/www.yoursite.com/
find . -type d -print | xargs du -s   ) S

That will give you a list of folders within the vsite and provide you an idea where the files are that are grabbing the quota.

hth
-- 
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970) 266-0195   FAX: (970) 266-0158

References:
- [cobalt-users] [RaQ4] Strange behaviour: excess hits, corrupted files, duplicate mails etc.
  - From: Mikael Siirilä

Prev by Date: [cobalt-users] [RaQ4] Strange behaviour: excess hits, corrupted files, duplicate mails etc.
Next by Date: Re: [cobalt-users] [RaQ4] Strange behaviour: excess hits, corrupted files, duplicate mails etc.
Previous by thread: [cobalt-users] [RaQ4] Strange behaviour: excess hits, corrupted files, duplicate mails etc.
Next by thread: Re: [cobalt-users] [RaQ4] Strange behaviour: excess hits, corrupted files, duplicate mails etc.

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index