Server abused, hacked or something?
First of all i must admit i dont know much about Linux, what i do is host just a handfull of sites using the "user-friendly" interface of CPanel for everyday tasks , and let the datacenter guys deal with any serious issues, however in this case they cant help.. ...so i thought to ask for your advice and opinions...
The problem is (the classic) high server load. I have this weird feeling (call me paranoid LOL ) that the server is abused , probably not by any custommer but maybe some script is installed in the box from an intruder, running hidden somewhere...
There ALWAYS is this weird behaviour, in case it rings some bells: Server goes high (reading 5+ in CPanel service status page), and if i RESTART apache it drops down to normal (0.50 - 0.80 ) It will stay down for a while (about 30 minutes to an hour) and then it will slowly start rising again. Nomatter what time of the day or night, same pattern, restarting Apache brings load back to normal, showing (IMHO) that this has nothing to do with cron jobs or internal server processes but with apache (or something that runs dependent to apache.. dont know...)
Instead of lots of words, here are a couple of screenshots showing a typical "good" server condition (taken 10 minutes after a restart)
h**p://alphagr.com/good.gif
and a couple of typical TOP screenshots during such an overload incident:
h**p://alphagr.com/bad1.gif
h**p://alphagr.com/bad2.gif
Clicking on ANY of those pids (to kill the process) gives me a message "this process no longer exists"
Question is do those pictures seem "normal" to you?
I see running both [httpd] and http -DSSL . What is the difference between those 2?
What i see, (repeating i dont know Linux stuff), is lots of apache running with DSSL (ssl???) and i know for SURE none of the custommers is using SSL (https / secure pages, whatever...)
I dont mind completly REMOVING the SSL option, as none of the custommers needs it.
If i restart apache via CPanel, i get this:
h**p://alphagr.com/start.gif
Also normal to start in 2 different ways?
Some system info:
WHM 10.6.0 cPanel 10.8.0-R20
Trustix i686 - WHM X v3.1.0
Processor #1 Name: Intel(R) Celeron(R) CPU 2.00GHz
Memory: 482808k/491456k available (1498k kernel code, 8260k reserved, 525k data, 112k init, 0k highmem)
Filesystem Size Used Avail Use% Mounted on
/dev/hdb2 73G 7.5G 62G 11% /
/dev/hdb1 46M 5.9M 38M 14% /boot
/var/spool/sysklog.d/dev
73G 7.5G 62G 11% /var/lib/named/chroot/dev
/var/named 73G 7.5G 62G 11% /var/lib/named/chroot/var/named
Many thanks in advance!...
