Navigation

HenryTheEight · #1 14th June 2010, 03:32

Hi,

I have been running 4 servers on VMs (2 DNS, 1 web, 1 mail server), which I have been running untouched and very reliable for months now with ISPconfig perfect setups on Centos 5.4 (all of them). Recently,
I have been experiencing very slow web surfing which I share BW with my servers.

I checked to find on my vm console that all my servers have been using all of my Upload BandWidth (barely any download BW). I don't know what is being uploaded and to whom, but all 4 servers are using equal amounts of BW i.e. 25% each. The duration of max BW can last for a couple of hours at Max then momentary lays idle for a few minutes and max out again. CPU usage on all servers (all single core) is under 25%.

My yum update times out during these max BW periods.

Any one has experienced this?

BTW if I switch off my DNSs the other servers BW goes idle.

Questions
1. Have my severs been compromised? ->how to check?
2. Or is this some external BW attack? -> spiders?
3. Or its normal - just set somthing wrongly?

My linux skills are at novice level so please keep advice simple.

HenryTheEight · #2 14th June 2010, 04:31

Hi,

Further my last post, I notice from the 'top' command that I notice
that a process command call 'named' has been running when upload
BW is being taken once the process stopped the BW when back down to
normal. Under the User column (and the command column) the process is also label 'named'.

Now this process seem to start and stop on its own accord for periods of 10-15mins max then 2-3 pause then starts itself again.

Have my servers been hacked?

can I kill this process? if so how?

HenryTheEight · #3 14th June 2010, 05:06

hi,

I have used the 'service named stop' command, which resolves the upload BW problem.

I have also used 'chkconfig named off' command to prevent autostart of the service upon reboot.

May I ask what is the 'named' service for or does, is there any consequence to this action.

Anyone know why could the named service be taking BW, who would it check with on the internet. Is this a known bug? is there a workaround.

I don't want to unknowingly lose functionality due to my above actions which
solves one problem but may create another.

Advice anyone?

damir · #4 14th June 2010, 09:06

Named is BIND, DNS software.

If you start named and then start to monitor log files, it should show startup of named services. There you should see possibles errors that causes your server high load.