High Incoming Bandwidth Out of nowhere

Portal Home > Knowledgebase > Articles Database > High Incoming Bandwidth Out of nowhere

Posted by gokumax, 05-15-2015, 08:09 PM
Hi I have a dedicated server, 3 days ago the problem started the website starts 20-25 sec to open and random times I get an error. Still I'm trying to find solution with my webhost. Anyway I found right now that there is a lot of Incoming Bandwidth and I think that is the problem. Can you please help me to fix this issue? Check the attachment graph to see exactly the incoming and outgoing. Everything was normal before 13th May Thank you in advance Attached Thumbnails
Posted by Profuse-Will, 05-15-2015, 08:51 PM
Try doing a packet captuer via tcpdump or other tools that lets you see whats going on.
Posted by Chris-M, 05-15-2015, 09:00 PM
Your maximum incoming rate is 1558Kb/s - that's 195KB/s which is next to nothing. Have you checked your server loads and checked to see what is using your processor and memory etc? Please give us the output of the "uptime" command to check the load. You can also check the "top" command to see the current processes in real time. Also when you say the site occasionally doesn't load, what is the error that you get?
Posted by gone-afk, 05-15-2015, 09:07 PM
The in and out seems to line up except for maybe your normal traffic mixed in a bit. I would suspect a hacked site or ssh with a script being used as a proxy, or bot server of some sort. Do as Will suggests and take a dump to analyze.
Posted by gokumax, 05-16-2015, 05:29 AM
Every time blue spike (incoming) goes the problem starts. I have this legendary annoying error "Error establishing a database connection" WordPress. Here is atm stats: [root@srv547 ~]# uptime 11:28:46 up 1 day, 16:03, 1 user, load average: 0.10, 0.20, 1.77 [root@srv547 ~]# top top - 11:28:58 up 1 day, 16:03, 1 user, load average: 0.08, 0.19, 1.74 Tasks: 586 total, 2 running, 584 sleeping, 0 stopped, 0 zombie Cpu(s): 5.0%us, 0.3%sy, 0.0%ni, 94.6%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 12289536k total, 10384356k used, 1905180k free, 298236k buffers Swap: 8385920k total, 0k used, 8385920k free, 926584k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 15876 apache 15 0 159m 32m 5904 S 21.5 0.3 2:59.46 httpd 15958 apache 15 0 155m 29m 5908 S 10.9 0.2 3:00.94 httpd 15974 admin 16 0 160m 33m 5984 R 7.9 0.3 3:01.09 httpd 4370 mysql 15 0 215m 25m 4148 S 1.3 0.2 0:13.02 mysqld 4981 root 15 0 13160 1504 836 R 0.7 0.0 0:00.08 top 1 root 15 0 10372 644 548 S 0.0 0.0 0:01.37 init 2 root RT -5 0 0 0 S 0.0 0.0 0:00.01 migration/0 3 root 34 19 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0 4 root RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/0 5 root RT -5 0 0 0 S 0.0 0.0 0:00.02 migration/1 6 root 34 19 0 0 0 S 0.0 0.0 0:00.01 ksoftirqd/1 7 root RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/1 8 root RT -5 0 0 0 S 0.0 0.0 0:00.00 migration/2 9 root 34 19 0 0 0 S 0.0 0.0 0:00.01 ksoftirqd/2 10 root RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/2 11 root RT -5 0 0 0 S 0.0 0.0 0:00.00 migration/3 12 root 34 19 0 0 0 S 0.0 0.0 0:00.01 ksoftirqd/3 Processor: 2x Xeon E5504 Memory: 6x 2GB PC3-10600R Harddisk(s): 2x 300GB SAS HP
Posted by net, 05-16-2015, 05:41 AM
Moved > Hosting Security and Technology.
Posted by HostColor, 05-16-2015, 05:46 AM
It does not look like a network issue to me. It looks like that you have an Apache load (see top - 11:28:58 up 1 day, 16:03, 1 user, load average: 0.08, 0.19, 1.74). Do you use any diagnostics tools which would allow you to review the server performance (including the bandwidth performance monitoring)? One more thing, pay attention to what @gordonrp suggested. Last edited by HostColor; 05-16-2015 at 05:49 AM.
Posted by Emma Zach, 05-16-2015, 05:46 AM
Could you please provide the output of pstree -apu
Posted by gokumax, 05-16-2015, 05:51 AM
No, don't use any tool
Posted by gokumax, 05-16-2015, 05:53 AM
root@srv547 ~]# pstree -apu init,1 ├─acpid,3480 ├─atd,3937 ├─auditd,3049 │ ├─audispd,3051 │ │ └─{audispd},3052 │ └─{auditd},3050 ├─automount,3611 --pid-file /var/run/autofs.pid │ ├─{automount},3612 │ ├─{automount},3613 │ ├─{automount},3616 │ └─{automount},3619 ├─avahi-daemon,3963,avahi │ └─avahi-daemon,3964 ├─crond,3891 ├─da-popb4smtp,3790 ├─dbus-daemon,3355,dbus --system ├─directadmin,3803,nobody d │ ├─directadmin,21791 d │ ├─directadmin,21792 d │ ├─directadmin,21797 d │ ├─directadmin,21798 d │ ├─directadmin,21799 d │ ├─directadmin,21800 d │ ├─directadmin,21801 d │ ├─directadmin,21810 d │ ├─directadmin,21988 d │ └─directadmin,21989 d ├─dovecot,3632 │ ├─anvil,3649,dovecot │ ├─auth,3684 │ ├─config,3682 │ ├─imap-login,3648,dovecot │ ├─imap-login,3662,dovecot │ ├─imap-login,3664,dovecot │ ├─imap-login,3665,dovecot │ ├─imap-login,3668,dovecot │ ├─imap-login,3669,dovecot │ ├─imap-login,3670,dovecot │ ├─imap-login,3677,dovecot │ ├─imap-login,3678,dovecot │ ├─imap-login,3679,dovecot │ ├─imap-login,3680,dovecot │ ├─imap-login,3681,dovecot │ ├─imap-login,31243,dovecot │ ├─imap-login,31351,dovecot │ ├─imap-login,31495,dovecot │ ├─imap-login,31497,dovecot │ ├─log,3650 │ ├─pop3-login,3652,dovecot │ ├─pop3-login,3657,dovecot │ ├─pop3-login,3658,dovecot │ ├─pop3-login,3660,dovecot │ ├─pop3-login,3661,dovecot │ ├─pop3-login,3673,dovecot │ ├─pop3-login,7632,dovecot │ ├─pop3-login,20489,dovecot │ ├─pop3-login,20490,dovecot │ ├─pop3-login,20496,dovecot │ ├─pop3-login,20497,dovecot │ ├─pop3-login,20498,dovecot │ ├─pop3-login,20502,dovecot │ ├─pop3-login,20516,dovecot │ ├─pop3-login,20521,dovecot │ └─pop3-login,20524,dovecot ├─(events/0,26) ├─(events/1,27) ├─(events/2,28) ├─(events/3,29) ├─(events/4,30) ├─(events/5,31) ├─(events/6,32) ├─(events/7,33) ├─exim,3826,mail -bd -q15m -oP /var/run/exim.pid ├─gam_server,4025 ├─gpm,3852 -m /dev/input/mice -t exps2 ├─hald,3493,haldaemon │ └─hald-runner,3494,root │ ├─hald-addon-acpi,3503,haldaemon │ ├─hald-addon-keyb,3508,haldaemon │ ├─hald-addon-keyb,7676,haldaemon │ └─hald-addon-keyb,7678,haldaemon ├─hcid,3368 ├─hidd,3544 --server ├─httpd,593,apache -k start -DSSL ├─httpd,977,apache -k start -DSSL ├─httpd,984,apache -k start -DSSL ├─httpd,1001,apache -k start -DSSL ├─httpd,1003,apache -k start -DSSL ├─httpd,1004,apache -k start -DSSL ├─httpd,1030,apache -k start -DSSL ├─httpd,1036,apache -k start -DSSL ├─httpd,1641,apache -k start -DSSL ├─httpd,1973,apache -k start -DSSL ├─httpd,2100,apache -k start -DSSL ├─httpd,2105,apache -k start -DSSL ├─httpd,2117,apache -k start -DSSL ├─httpd,2118,apache -k start -DSSL ├─httpd,2132,apache -k start -DSSL ├─httpd,2133,apache -k start -DSSL ├─httpd,2140,apache -k start -DSSL ├─httpd,3440,apache -k start -DSSL ├─httpd,3460,apache -k start -DSSL ├─httpd,3794,apache -k start -DSSL ├─httpd,3835,apache -k start -DSSL ├─httpd,3836,apache -k start -DSSL ├─httpd,3851,apache -k start -DSSL ├─httpd,3879,apache -k start -DSSL ├─httpd,3880,apache -k start -DSSL ├─httpd,3886,apache -k start -DSSL ├─httpd,3892,apache -k start -DSSL ├─httpd,3895,apache -k start -DSSL ├─httpd,5698,apache -k start -DSSL ├─httpd,5712,apache -k start -DSSL ├─httpd,5714,apache -k start -DSSL ├─httpd,5720,apache -k start -DSSL ├─httpd,6404,apache -k start -DSSL ├─httpd,6434,apache -k start -DSSL ├─httpd,6439,apache -k start -DSSL ├─httpd,6466,apache -k start -DSSL ├─httpd,6505,apache -k start -DSSL ├─httpd,6506,apache -k start -DSSL ├─httpd,6508,apache -k start -DSSL ├─httpd,6509,apache -k start -DSSL ├─httpd,6516,apache -k start -DSSL ├─httpd,7004,apache -k start -DSSL ├─httpd,7025,apache -k start -DSSL ├─httpd,7066,apache -k start -DSSL ├─httpd,7069,apache -k start -DSSL ├─httpd,7155,apache -k start -DSSL ├─httpd,8038,apache -k start -DSSL ├─httpd,8067,apache -k start -DSSL ├─httpd,8083,apache -k start -DSSL ├─httpd,8085,apache -k start -DSSL ├─httpd,8155,apache -k start -DSSL ├─httpd,8172,apache -k start -DSSL ├─httpd,8175,apache -k start -DSSL ├─httpd,8181,apache -k start -DSSL ├─httpd,8184,apache -k start -DSSL ├─httpd,8187,apache -k start -DSSL ├─httpd,8221,apache -k start -DSSL ├─httpd,8223,apache -k start -DSSL ├─httpd,8235,apache -k start -DSSL ├─httpd,8237,apache -k start -DSSL ├─httpd,8238,apache -k start -DSSL ├─httpd,8247,apache -k start -DSSL ├─httpd,8248,apache -k start -DSSL ├─httpd,8254,apache -k start -DSSL ├─httpd,8261,apache -k start -DSSL ├─httpd,8262,apache -k start -DSSL ├─httpd,9320,apache -k start -DSSL ├─httpd,9472,apache -k start -DSSL ├─httpd,9473,apache -k start -DSSL ├─httpd,9555,apache -k start -DSSL ├─httpd,10123,apache -k start -DSSL ├─httpd,10370,apache -k start -DSSL ├─httpd,10391,apache -k start -DSSL ├─httpd,10392,apache -k start -DSSL ├─httpd,10406,apache -k start -DSSL ├─httpd,10450,apache -k start -DSSL ├─httpd,10451,apache -k start -DSSL ├─httpd,10454,apache -k start -DSSL ├─httpd,10554,apache -k start -DSSL ├─httpd,10911,apache -k start -DSSL ├─httpd,11081,apache -k start -DSSL ├─httpd,11120,apache -k start -DSSL ├─httpd,11121,apache -k start -DSSL ├─httpd,12085,apache -k start -DSSL ├─httpd,12086,apache -k start -DSSL ├─httpd,12109,apache -k start -DSSL ├─httpd,12110,apache -k start -DSSL ├─httpd,12113,apache -k start -DSSL ├─httpd,12114,apache -k start -DSSL ├─httpd,12115,apache -k start -DSSL ├─httpd,12147,apache -k start -DSSL ├─httpd,12148,apache -k start -DSSL ├─httpd,12157,apache -k start -DSSL ├─httpd,12158,apache -k start -DSSL ├─httpd,12159,apache -k start -DSSL ├─httpd,12161,apache -k start -DSSL ├─httpd,12162,apache -k start -DSSL ├─httpd,12166,apache -k start -DSSL ├─httpd,12167,apache -k start -DSSL ├─httpd,12191,apache -k start -DSSL ├─httpd,12193,apache -k start -DSSL ├─httpd,12194,apache -k start -DSSL ├─httpd,12195,apache -k start -DSSL ├─httpd,12196,apache -k start -DSSL ├─httpd,12197,apache -k start -DSSL ├─httpd,12200,apache -k start -DSSL ├─httpd,12201,apache -k start -DSSL ├─httpd,12202,apache -k start -DSSL ├─httpd,12206,apache -k start -DSSL ├─httpd,12208,apache -k start -DSSL ├─httpd,12210,apache -k start -DSSL ├─httpd,12211,apache -k start -DSSL ├─httpd,12214,apache -k start -DSSL ├─httpd,12218,apache -k start -DSSL ├─httpd,12219,apache -k start -DSSL ├─httpd,13285,apache -k start -DSSL ├─httpd,13299,apache -k start -DSSL ├─httpd,13518,apache -k start -DSSL ├─httpd,13538,apache -k start -DSSL ├─httpd,13970,apache -k start -DSSL ├─httpd,13996,apache -k start -DSSL ├─httpd,13998,apache -k start -DSSL ├─httpd,14204,apache -k start -DSSL ├─httpd,14257,apache -k start -DSSL ├─httpd,14326,apache -k start -DSSL ├─httpd,14627,apache -k start -DSSL ├─httpd,14628,apache -k start -DSSL ├─httpd,14948,apache -k start -DSSL ├─httpd,14949,apache -k start -DSSL ├─httpd,14981,apache -k start -DSSL ├─httpd,14983,apache -k start -DSSL ├─httpd,14984,apache -k start -DSSL ├─httpd,15016,apache -k start -DSSL ├─httpd,15018,apache -k start -DSSL ├─httpd,15019,apache -k start -DSSL ├─httpd,15021,apache -k start -DSSL ├─httpd,15023,apache -k start -DSSL ├─httpd,15212,apache -k start -DSSL ├─httpd,15258,apache -k start -DSSL ├─httpd,15304,apache -k start -DSSL ├─httpd,15377,apache -k start -DSSL ├─httpd,15852,apache -k start -DSSL ├─httpd,15853,apache -k start -DSSL ├─httpd,15854,apache -k start -DSSL ├─httpd,15855,apache -k start -DSSL ├─httpd,15871,apache -k start -DSSL ├─httpd,15874,apache -k start -DSSL ├─httpd,15875,apache -k start -DSSL ├─httpd,15876,apache -k start -DSSL ├─httpd,15877,apache -k start -DSSL ├─httpd,15878,apache -k start -DSSL ├─httpd,15930,apache -k start -DSSL ├─httpd,15932,apache -k start -DSSL ├─httpd,15933,apache -k start -DSSL ├─httpd,15934,apache -k start -DSSL ├─httpd,15936,apache -k start -DSSL ├─httpd,15937,apache -k start -DSSL ├─httpd,15939,apache -k start -DSSL ├─httpd,15940,apache -k start -DSSL ├─httpd,15941,apache -k start -DSSL ├─httpd,15942,apache -k start -DSSL ├─httpd,15943,apache -k start -DSSL ├─httpd,15958,apache -k start -DSSL ├─httpd,15959,apache -k start -DSSL ├─httpd,15960,apache -k start -DSSL ├─httpd,15961,apache -k start -DSSL ├─httpd,15964,apache -k start -DSSL ├─httpd,15966,apache -k start -DSSL ├─httpd,15968,apache -k start -DSSL ├─httpd,15970,apache -k start -DSSL ├─httpd,15971,apache -k start -DSSL ├─httpd,15974,apache -k start -DSSL ├─httpd,15977,apache -k start -DSSL ├─httpd,15979,apache -k start -DSSL ├─httpd,15980,apache -k start -DSSL ├─httpd,15982,apache -k start -DSSL ├─httpd,15984,apache -k start -DSSL ├─httpd,15985,apache -k start -DSSL ├─httpd,15986,apache -k start -DSSL ├─httpd,15989,apache -k start -DSSL ├─httpd,16460,apache -k start -DSSL ├─httpd,16465,apache -k start -DSSL ├─httpd,16466,apache -k start -DSSL ├─httpd,16467,apache -k start -DSSL ├─httpd,16468,apache -k start -DSSL ├─httpd,17294,apache -k start -DSSL ├─httpd,17647,apache -k start -DSSL ├─httpd,17717,apache -k start -DSSL ├─httpd,18222,apache -k start -DSSL ├─httpd,18223,apache -k start -DSSL ├─httpd,18229,apache -k start -DSSL ├─httpd,18613,apache -k start -DSSL ├─httpd,18634,apache -k start -DSSL ├─httpd,18635,apache -k start -DSSL ├─httpd,18636,apache -k start -DSSL ├─httpd,18637,apache -k start -DSSL ├─httpd,18709,apache -k start -DSSL ├─httpd,19394,apache -k start -DSSL ├─httpd,19417,apache -k start -DSSL ├─httpd,19418,apache -k start -DSSL ├─httpd,19427,apache -k start -DSSL ├─httpd,19436,apache -k start -DSSL ├─httpd,19437,apache -k start -DSSL ├─httpd,19456,apache -k start -DSSL ├─httpd,19457,apache -k start -DSSL ├─httpd,19458,apache -k start -DSSL ├─httpd,19459,apache -k start -DSSL ├─httpd,19460,apache -k start -DSSL ├─httpd,19462,apache -k start -DSSL ├─httpd,19509,apache -k start -DSSL ├─httpd,19510,apache -k start -DSSL ├─httpd,19511,apache -k start -DSSL ├─httpd,19512,apache -k start -DSSL ├─httpd,19513,apache -k start -DSSL ├─httpd,19514,apache -k start -DSSL ├─httpd,19515,apache -k start -DSSL ├─httpd,19516,apache -k start -DSSL ├─httpd,19517,apache -k start -DSSL ├─httpd,19518,apache -k start -DSSL ├─httpd,19521,apache -k start -DSSL ├─httpd,19522,apache -k start -DSSL ├─httpd,19525,apache -k start -DSSL ├─httpd,19526,apache -k start -DSSL ├─httpd,19722,apache -k start -DSSL ├─httpd,20317,apache -k start -DSSL ├─httpd,20325,apache -k start -DSSL ├─httpd,20326,apache -k start -DSSL ├─httpd,20349,apache -k start -DSSL ├─httpd,20350,apache -k start -DSSL ├─httpd,20351,apache -k start -DSSL ├─httpd,20352,apache -k start -DSSL ├─httpd,20364,apache -k start -DSSL ├─httpd,20365,apache -k start -DSSL ├─httpd,20366,apache -k start -DSSL ├─httpd,20367,apache -k start -DSSL ├─httpd,20368,apache -k start -DSSL ├─httpd,20369,apache -k start -DSSL ├─httpd,20370,apache -k start -DSSL ├─httpd,20372,apache -k start -DSSL ├─httpd,20397,apache -k start -DSSL ├─httpd,20398,apache -k start -DSSL ├─httpd,20399,apache -k start -DSSL ├─httpd,20400,apache -k start -DSSL ├─httpd,20401,apache -k start -DSSL ├─httpd,20402,apache -k start -DSSL ├─httpd,20403,apache -k start -DSSL ├─httpd,20404,apache -k start -DSSL ├─httpd,20405,apache -k start -DSSL ├─httpd,20406,apache -k start -DSSL ├─httpd,20407,apache -k start -DSSL ├─httpd,20408,apache -k start -DSSL ├─httpd,20409,apache -k start -DSSL ├─httpd,20410,apache -k start -DSSL ├─httpd,20411,apache -k start -DSSL ├─httpd,20440,apache -k start -DSSL ├─httpd,20441,apache -k start -DSSL ├─httpd,20442,apache -k start -DSSL ├─httpd,20443,apache -k start -DSSL ├─httpd,20459,apache -k start -DSSL ├─httpd,20461,apache -k start -DSSL ├─httpd,20462,apache -k start -DSSL ├─httpd,20468,apache -k start -DSSL ├─httpd,20469,apache -k start -DSSL ├─httpd,20470,apache -k start -DSSL ├─httpd,20471,apache -k start -DSSL ├─httpd,20472,apache -k start -DSSL ├─httpd,20473,apache -k start -DSSL ├─httpd,20474,apache -k start -DSSL ├─httpd,20475,apache -k start -DSSL ├─httpd,20476,apache -k start -DSSL ├─httpd,20482,apache -k start -DSSL ├─httpd,20483,apache -k start -DSSL ├─httpd,20484,apache -k start -DSSL ├─httpd,20485,apache -k start -DSSL ├─httpd,20486,apache -k start -DSSL ├─httpd,20487,apache -k start -DSSL ├─httpd,20488,apache -k start -DSSL ├─httpd,20491,apache -k start -DSSL ├─httpd,20493,apache -k start -DSSL ├─httpd,20494,apache -k start -DSSL ├─httpd,20499,apache -k start -DSSL ├─httpd,20500,apache -k start -DSSL ├─httpd,20505,apache -k start -DSSL ├─httpd,20506,apache -k start -DSSL ├─httpd,20678,apache -k start -DSSL ├─httpd,21178,apache -k start -DSSL ├─httpd,21194,apache -k start -DSSL ├─httpd,21195,apache -k start -DSSL ├─httpd,21211,apache -k start -DSSL ├─httpd,21212,apache -k start -DSSL ├─httpd,21213,apache -k start -DSSL ├─httpd,21214,apache -k start -DSSL ├─httpd,21247,apache -k start -DSSL ├─httpd,21270,apache -k start -DSSL ├─httpd,25698,apache -k start -DSSL ├─httpd,25764,apache -k start -DSSL ├─httpd,25926,apache -k start -DSSL ├─httpd,25936,apache -k start -DSSL ├─httpd,25963,apache -k start -DSSL ├─httpd,25967,apache -k start -DSSL ├─httpd,26008,apache -k start -DSSL ├─httpd,26025,apache -k start -DSSL ├─httpd,26060,apache -k start -DSSL ├─httpd,26083,apache -k start -DSSL ├─httpd,26162,apache -k start -DSSL ├─httpd,26229,apache -k start -DSSL ├─httpd,26239,apache -k start -DSSL ├─httpd,26336,apache -k start -DSSL ├─httpd,26344,apache -k start -DSSL ├─httpd,26351,apache -k start -DSSL ├─httpd,26867,apache -k start -DSSL ├─httpd,26868,apache -k start -DSSL ├─httpd,26905,apache -k start -DSSL ├─httpd,26944,apache -k start -DSSL ├─httpd,26958,apache -k start -DSSL ├─httpd,27012,apache -k start -DSSL ├─httpd,27024,apache -k start -DSSL ├─httpd,27031,apache -k start -DSSL ├─httpd,27128,apache -k start -DSSL ├─httpd,27138,apache -k start -DSSL ├─httpd,27199,apache -k start -DSSL ├─httpd,27232,apache -k start -DSSL ├─httpd,27251,apache -k start -DSSL ├─httpd,27259,apache -k start -DSSL ├─httpd,27272,apache -k start -DSSL ├─httpd,27273,apache -k start -DSSL ├─httpd,27274,apache -k start -DSSL ├─httpd,27276,apache -k start -DSSL ├─httpd,27363,apache -k start -DSSL ├─httpd,28485,apache -k start -DSSL ├─httpd,28541,apache -k start -DSSL ├─httpd,28543,apache -k start -DSSL ├─httpd,28544,apache -k start -DSSL ├─httpd,29182,apache -k start -DSSL ├─httpd,29236,apache -k start -DSSL ├─httpd,29241,apache -k start -DSSL ├─httpd,30887,apache -k start -DSSL ├─httpd,30888,apache -k start -DSSL ├─httpd,31648,apache -k start -DSSL ├─httpd,31759,apache -k start -DSSL ├─httpd,31894,apache -k start -DSSL ├─httpd,31920,apache -k start -DSSL ├─httpd,31924,apache -k start -DSSL ├─httpd,31933,apache -k start -DSSL ├─httpd,31940,apache -k start -DSSL ├─httpd,31941,apache -k start -DSSL ├─httpd,32000,apache -k start -DSSL ├─httpd,32018,apache -k start -DSSL ├─irqbalance,3197 ├─iscsid,2590 ├─iscsid,2591 ├─iscsiuio,2583 │ ├─{iscsiuio},2584 │ └─{iscsiuio},2595 ├─(khelper,34) ├─klogd,3084 -x ├─(krfcommd,3421) ├─(ksoftirqd/0,3) ├─(ksoftirqd/1,6) ├─(ksoftirqd/2,9) ├─(ksoftirqd/3,12) ├─(ksoftirqd/4,15) ├─(ksoftirqd/5,18) ├─(ksoftirqd/6,21) ├─(ksoftirqd/7,24) ├─(kthread,139) │ ├─(aio/0,457) │ ├─(aio/1,458) │ ├─(aio/2,459) │ ├─(aio/3,460) │ ├─(aio/4,461) │ ├─(aio/5,462) │ ├─(aio/6,463) │ ├─(aio/7,464) │ ├─(ata/0,719) │ ├─(ata/1,720) │ ├─(ata/2,721) │ ├─(ata/3,722) │ ├─(ata/4,723) │ ├─(ata/5,724) │ ├─(ata/6,725) │ ├─(ata/7,726) │ ├─(ata_aux,727) │ ├─(bnx2i_thread/0,2454) │ ├─(bnx2i_thread/1,2455) │ ├─(bnx2i_thread/2,2456) │ ├─(bnx2i_thread/3,2457) │ ├─(bnx2i_thread/4,2458) │ ├─(bnx2i_thread/5,2459) │ ├─(bnx2i_thread/6,2460) │ ├─(bnx2i_thread/7,2461) │ ├─(cnic_wq,2443) │ ├─(cqueue/0,313) │ ├─(cqueue/1,314) │ ├─(cqueue/2,315) │ ├─(cqueue/3,316) │ ├─(cqueue/4,317) │ ├─(cqueue/5,318) │ ├─(cqueue/6,319) │ ├─(cqueue/7,320) │ ├─(ib_addr,2486) │ ├─(ib_cm/0,2536) │ ├─(ib_cm/1,2537) │ ├─(ib_cm/2,2538) │ ├─(ib_cm/3,2539) │ ├─(ib_cm/4,2540) │ ├─(ib_cm/5,2541) │ ├─(ib_cm/6,2542) │ ├─(ib_cm/7,2543) │ ├─(ib_inform,2515) │ ├─(ib_mcast,2514) │ ├─(iscsi_eh,2345) │ ├─(iw_cm_wq,2526) │ ├─(kacpid,159) │ ├─(kauditd,823) │ ├─(kblockd/0,151) │ ├─(kblockd/1,152) │ ├─(kblockd/2,153) │ ├─(kblockd/3,154) │ ├─(kblockd/4,155) │ ├─(kblockd/5,156) │ ├─(kblockd/6,157) │ ├─(kblockd/7,158) │ ├─(kedac,1484) │ ├─(khubd,323) │ ├─(khungtaskd,452) │ ├─(kjournald,798) │ ├─(kjournald,2159) │ ├─(kmpath_handlerd,2129) │ ├─(kmpathd/0,2121) │ ├─(kmpathd/1,2122) │ ├─(kmpathd/2,2123) │ ├─(kmpathd/3,2124) │ ├─(kmpathd/4,2125) │ ├─(kmpathd/5,2126) │ ├─(kmpathd/6,2127) │ ├─(kmpathd/7,2128) │ ├─(kondemand/0,3164) │ ├─(kondemand/1,3166) │ ├─(kondemand/2,3167) │ ├─(kondemand/3,3168) │ ├─(kondemand/4,3169) │ ├─(kondemand/5,3170) │ ├─(kondemand/6,3171) │ ├─(kondemand/7,3172) │ ├─(kpsmoused,621) │ ├─(kseriod,325) │ ├─(kstriped,761) │ ├─(kswapd0,455) │ ├─(kswapd1,456) │ ├─(local_sa,2516) │ ├─(pdflush,453) │ ├─(pdflush,454) │ ├─(rdma_cm,2554) │ ├─(rpciod/0,3269) │ ├─(rpciod/1,3270) │ ├─(rpciod/2,3271) │ ├─(rpciod/3,3272) │ ├─(rpciod/4,3273) │ ├─(rpciod/5,3274) │ ├─(rpciod/6,3275) │ ├─(rpciod/7,3276) │ ├─(scsi_eh_0,700) │ ├─(scsi_eh_1,737) │ ├─(scsi_eh_2,738) │ ├─(scsi_eh_3,739) │ ├─(scsi_eh_4,740) │ ├─(scsi_eh_5,741) │ └─(scsi_eh_6,742) ├─(migration/0,2) ├─(migration/1,5) ├─(migration/2,8) ├─(migration/3,11) ├─(migration/4,14) ├─(migration/5,17) ├─(migration/6,20) ├─(migration/7,23) ├─mingetty,3996 tty1 ├─mingetty,3997 tty2 ├─mingetty,3998 tty3 ├─mingetty,3999 tty4 ├─mingetty,4000 tty5 ├─mingetty,4001 tty6 ├─mysqld_safe,4303 /usr/bin/mysqld_safe --datadir=/var/lib/mysql... │ └─mysqld,4370,mysql --basedir=/ --datadir=/var/lib/mysql --user=mysql... │ ├─{mysqld},4372 │ ├─{mysqld},4373 │ ├─{mysqld},4374 │ ├─{mysqld},4375 │ ├─{mysqld},4377 │ ├─{mysqld},4378 │ ├─{mysqld},4379 │ ├─{mysqld},4380 │ └─{mysqld},4381 ├─named,4817,named -u named │ ├─{named},4818 │ ├─{named},4819 │ ├─{named},4820 │ ├─{named},4821 │ ├─{named},4822 │ ├─{named},4823 │ ├─{named},4824 │ ├─{named},4825 │ ├─{named},4826 │ └─{named},4827 ├─pcscd,3466 │ └─{pcscd},3497 ├─portmap,3228,rpc ├─pure-ftpd,3878 ... ├─rpc.idmapd,3325 ├─rpc.statd,3289,rpcuser ├─sdpd,3375 ├─smartd,3993 -q never ├─sshd,3685 │ └─sshd,4607 │ └─bash,4616 │ └─pstree,5673 -apu ├─syslogd,3081 -m 0 ├─udevd,856 -d ├─(watchdog/0,4) ├─(watchdog/1,7) ├─(watchdog/2,10) ├─(watchdog/3,13) ├─(watchdog/4,16) ├─(watchdog/5,19) ├─(watchdog/6,22) ├─(watchdog/7,25) ├─xfs,3912,xfs -droppriv -daemon ├─xinetd,3701 -stayalive -pidfile /var/run/xinetd.pid └─yum-updatesd,4023 -tt /usr/sbin/yum-updatesd
Posted by gokumax, 05-16-2015, 06:02 AM
Can you please help which diagnostic tool to use? Thanks
Posted by HostColor, 05-16-2015, 06:10 AM
I can do that. PM me, if you need help.
Posted by Emma Zach, 05-16-2015, 06:12 AM
Actually I am happy to help you in this. Please consider to check the access logs of the domain and check whether any continuos hit from a certain IP. Because you are having large number of httpd access. Checking for any DDOS attack. netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Posted by Phretor, 05-17-2015, 10:20 AM
you will need to tcpdump this traffic first, that it arrives on your uplink doesnt mean its meant for you (e.g. spoofing, broadcast from others, etc) if its a webserver, try looking for outbound (not inbound) ports 80, 22 and 6667 which are useal indicators of bad stuff going on.