How to recognize attack?
Is there any way to know is it attack or just an internal server problem?
Last rootkit and rkhunter check showed no errors.
Please, advise guys.
Thank you!
Here is top -c output:
Code:
09:11:48 up 2:30, 1 user, load average: 98.50, 116.23, 91.73
453 processes: 449 sleeping, 1 running, 3 zombie, 0 stopped
CPU states: 7.1% user 7.4% system 0.0% nice 0.0% iowait 85.3% idle
Mem: 514196k av, 509776k used, 4420k free, 0k shrd, 4700k buff
251792k active, 207424k inactive
Swap: 2104504k av, 865584k used, 1238920k free 27368k cached
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
14016 root 9 0 4956 3528 3480 S 5.9 0.6 5:29 0 /usr/local/apache/bin/httpd -DSSL
18263 root 14 0 1528 1528 868 R 4.9 0.2 0:01 0 top -c
4653 root 16 0 4076 2208 1312 S 1.3 0.4 0:45 0 perl ./read-data.pl start system
5 root 11 0 0 0 0 SW 0.8 0.0 0:40 0 kswapd
4102 mysql 10 0 63324 26M 18168 D 0.5 5.2 1:16 0 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/
18196 ofp 9 0 3136 3136 1304 D 0.3 0.6 0:00 0 /usr/bin/perl coranto.cgi
1 root 8 0 472 444 424 S 0.0 0.0 0:05 0 init [3]
2 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 keventd
3 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 kapmd
4 root 18 19 0 0 0 SWN 0.0 0.0 0:00 0 ksoftirqd_CPU0
6 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 bdflush
7 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 kupdated
8 root 18446744073709551615 -20 0 0 0 SW< 0.0 0.0 0:00 0 mdrecoveryd
61 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 khubd
275 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 kjournald
276 root 9 0 0 0 0 DW 0.0 0.0 0:00 0 kjournald
277 root 9 0 0 0 0 DW 0.0 0.0 0:00 0 kjournald
278 root 9 0 0 0 0 DW 0.0 0.0 0:01 0 kjournald
279 root 9 0 0 0 0 DW 0.0 0.0 0:00 0 kjournald
280 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 kjournald
761 root 9 0 556 520 484 D 0.0 0.1 0:00 0 syslogd -m 0
765 root 9 0 420 368 368 S 0.0 0.0 0:00 0 klogd -x
3618 root 9 0 1116 900 900 S 0.0 0.1 0:00 0 /bin/bash
3621 root 9 0 1116 896 896 S 0.0 0.1 0:00 0 /usr/sbin/sshd
3635 root 8 0 680 536 536 S 0.0 0.1 0:00 0 xinetd -stayalive -pidfile /var/run/xinetd.pid
3653 root 9 0 2400 1112 1112 S 0.0 0.2 0:00 0 chkservd
3748 root 8 0 576 552 508 S 0.0 0.1 0:00 0 crond
3842 named 9 0 1932 1172 1076 S 0.0 0.2 0:00 0 /usr/sbin/named -u named
3961 root 9 0 1544 1148 1120 S 0.0 0.2 0:00 0 cupsd
3964 root 9 0 3444 1228 1080 S 0.0 0.2 0:00 0 cppop - accepting on port 110
4047 root 9 0 1124 964 964 S 0.0 0.1 0:00 0 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/server1.flash
4320 root 9 0 3824 1844 1728 S 0.0 0.3 0:00 0 /usr/bin/perl /usr/local/cpanel/bin/eximstats
4327 root 18 19 12508 3764 3752 D N 0.0 0.7 0:05 0 cpanellogd - scanning logs
4336 root 9 0 3540 1176 992 S 0.0 0.2 0:00 0 cppop - accepting on port 110
4379 root 8 0 1152 940 940 S 0.0 0.1 0:00 0 pure-ftpd (SERVER)
4382 root 8 0 944 776 776 S 0.0 0.1 0:00 0 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth
4386 cpanel 9 0 1200 940 940 S 0.0 0.1 0:00 0 /usr/bin/stunnel-4.04local /usr/local/cpanel/etc/stunnel/default/stunnel.conf
4403 mailman 9 0 3996 1248 1248 S 0.0 0.2 0:00 0 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start
