0

This issue started happening a week after I got a server upgrade, from iWeb. The new IPs that were assigned to me, were on some massive hacker/botnet list; so, for the first while I was getting insane amounts of brute force attacks. I banned as many of the IPs as I could, but they have started again (1 week later).

I'm honestly not sure if this is related, but my system has been exhausted, from a resource point of view. I checked the kernel messages log, and it's calling oom-killer like crazy. I also put in the memory logging to see if I can catch the culprit, but that didn't work, as it wasn't able to log the crucial information. It gets to a point where the server is still online, but the only thing I can do is ping it - can't ssh, or do anything else. Only solution is a restart.

Here is my other question that is directly related to this problem:

Centos server not using SWAP properly and getting OOM

I'm starting to think that this is all related to cpHulk and the brute force attacks. This never happened on my old server with iWeb.

I even asked if I could get assigned new IPs, and they refused.

What are your thoughts? Do you think this is related to the attacks? Should iWeb give me new IPs, as these ones are clearly on an attackers list, and I don't think this will stop.

Community
  • 1
xil3
  • 93
  • 1
  • 9

1 Answers1

4

  1. cPanel's not known for having the most CPU/Memory efficient processes out there. I'd be pointing the finger in that direction primarily. You could try using a service that injects IPTables rules, such as fail2ban or denyhosts, both of which are a lot lighter-weight and lower level than cpHulk appears to be.

  2. Your hosting provider ("iWeb") should be doing everything in their power to limit the effect of brute force attacks that come from their decision to recycle IP addresses. They should be firewalling the traffic for you, or running some kind of sensible IDS/IPS.

  3. If they're not helping, then I suggest you go find a provider who don't suck balls.
Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
  • Sadly, as cPanel is closed-source, I can't get the source code of cpHulk to give it a quick once over and figure out what it does, how it works, and where it's leaking memory. So I'll just say this. I don't like it. – Tom O'Connor Mar 26 '12 at 20:38
  • Thanks Tom - I'll keep investigating this. It was never an issue until I migrated everything to this new server, so I'm almost positive that it's related to the attacks. – xil3 Mar 27 '12 at 15:49