Server stops responding

Siggy Brentrup ubuntu at psycho.i21k.de
Wed Jul 29 16:10:38 UTC 2009 

On Wed, Jul 29, 2009 at 09:54 -0400, Hal Burgiss wrote:
> On Sun, Jul 26, 2009 at 2:23 PM, CLIFFORD
> ILKAY<clifford_ilkay at dinamis.com> wrote:

> > Looking at your URLs, I'm guessing you're probably running some sort of
> > a database-backed CMS. If that is the case, I've seen similar problems
> > many times, particularly when the database in question is MySQL.

> The database server is on a separate physical machine, with a number
> of other sites
> connected, and no other problems.

> > When troubleshooting such problems, it helps to have a root shell open
> > to the remote machine. That way, you may be able to run "top" or "htop"
> > just as things start to go awry. At the very least, you could initiate a
> > restart from that shell so that you wouldn't have to power cycle the
> > machine.

> In theory this is good, but the quality of the connection from home
> causes the connection to be reset periodically. The problem tends to
> not happen during business hours.

Murphy's law or one of it's corollaries :)

Depending on how important 24/7 is for your site, you may add a modem
or ISDN dialin with callback as a fallback for connecting to a mgetty,
bypassing TCP/IP problems.

> > It would also make your life easier ...

> Yea.

> After more closely examining the logs, another curiosity stands out.
> On the last 2 occasions, an ip address from Zhengzhou China connected.
> And within 2 mintues, in the crapper. During the time the machine was
> unresponsive and no one else can connect, there is much errog.log
> activity from the Chinese addresses (different ip each time, but both
> from Zhengzhou). Weird co-incidence. Very weird.

You say so, maybe you are subject to a DoS attack?  Is your content by
any means related to China?

- If these weird entries always come from one netblock, craft some
  iptables rules to forward connections from there to a honeypot.

- Do you run rkhunter?  If not, it's too late to install it now.  

- Weird log entries may also be forged.

- more speculations ...

First contact the sysadmin of the datacenter if other machines
are also affected.

A dialin seems to be the way to go, you must find a way to inspect
that system while things happen.

Siggy
-- 
Please don't Cc: me when replying, I might not see either copy.
               bsb-at-psycho-dot-informationsanarchistik-dot-de
               or:                bsb-at-psycho-dot-i21k-dot-de
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090729/1b0ea998/attachment.sig>

More information about the ubuntu-users mailing list