Vai al contenuto

Allarme server memoria e rootkit

vale&rug

Da vale&rug
in Web design e sistemisti

Messaggi raccomandati

vale&rug

vale&rug

Inviato
Inviato

Ciao ragazzi,

ho un cliente che preso un server cloud, gli ho creato la sua macchina con Centos 64bit con 2cpu, 4gb di ram, 100gb hd e con pannllo Plesk.

Al momento sul server c'è installato solo Magento 1.9.0.0 ed è vuoto, ovvero non ci sono prodotti, non ci sono visite, non ci sono transazioni...proprio lndo post installazione.

Mi arrivano, almeno 10 al gg email come queste:

 

l parametro dello stato del server "Servizi > Utilizzo della memoria Apache" ha cambiato il suo stato da "green" a "yellow".

top - 10:14:40 up 1 day, 8:40, 0 users, load average: 0.03, 0.03, 0.00
Tasks: 125 total, 1 running, 124 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.4%us, 0.2%sy, 0.0%ni, 99.1%id, 0.2%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 2956664k total, 1912048k used, 1044616k free, 200872k buffers
Swap: 2064376k total, 0k used, 2064376k free, 672920k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 19232 1564 1264 S 0.0 0.1 0:02.25 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
4 root 20 0 0 0 0 S 0.0 0.0 0:00.26 ksoftirqd/0
5 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
6 root RT 0 0 0 0 S 0.0 0.0 0:00.30 watchdog/0
7 root 20 0 0 0 0 S 0.0 0.0 1:19.24 events/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cgroup
9 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khelper
10 root 20 0 0 0 0 S 0.0 0.0 0:00.00 netns
11 root 20 0 0 0 0 S 0.0 0.0 0:00.00 async/mgr
12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pm
13 root 20 0 0 0 0 S 0.0 0.0 0:00.66 sync_supers
14 root 20 0 0 0 0 S 0.0 0.0 0:00.76 bdi-default
15 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kintegrityd/0
16 root 20 0 0 0 0 S 0.0 0.0 0:02.61 kblockd/0
17 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpid
18 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpi_notify
19 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpi_hotplug
20 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ata_aux
21 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ata_sff/0
22 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ksuspend_usbd
23 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd
24 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kseriod
25 root 20 0 0 0 0 S 0.0 0.0 0:00.00 md/0
26 root 20 0 0 0 0 S 0.0 0.0 0:00.00 md_misc/0
27 root 20 0 0 0 0 S 0.0 0.0 0:00.00 linkwatch
28 root 20 0 0 0 0 S 0.0 0.0 0:00.05 khungtaskd
29 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
30 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
31 root 39 19 0 0 0 S 0.0 0.0 0:03.39 khugepaged
32 root 20 0 0 0 0 S 0.0 0.0 0:00.00 aio/0
33 root 20 0 0 0 0 S 0.0 0.0 0:00.00 crypto/0
38 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthrotld/0
39 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pciehpd
41 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kpsmoused
42 root 20 0 0 0 0 S 0.0 0.0 0:00.00 usbhid_resumer
73 root 20 0 0 0 0 S 0.0 0.0 0:00.00 iscsi_eh
76 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cxgb4
78 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cnic_wq
79 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 bnx2i_thread/0
92 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kstriped
149 root 20 0 0 0 0 S 0.0 0.0 0:00.01 scsi_eh_0
150 root 20 0 0 0 0 S 0.0 0.0 0:00.02 scsi_eh_1
157 root 20 0 0 0 0 S 0.0 0.0 0:03.69 mpt_poll_0
158 root 20 0 0 0 0 S 0.0 0.0 0:00.00 mpt/0
159 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_2
295 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdmflush
297 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdmflush
314 root 20 0 0 0 0 S 0.0 0.0 0:06.32 jbd2/dm-0-8
315 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ext4-dio-unwrit
337 root 20 0 0 0 0 S 0.0 0.0 0:09.34 flush-253:0
395 root 16 -4 11044 1072 320 S 0.0 0.0 0:00.67 udevd
612 root 20 0 0 0 0 S 0.0 0.0 0:03.74 vmmemctl
691 root 18 -2 10652 780 344 S 0.0 0.0 0:00.00 udevd
720 root 20 0 0 0 0 S 0.0 0.0 0:00.00 jbd2/sda1-8
721 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ext4-dio-unwrit
772 root 20 0 0 0 0 S 0.0 0.0 0:00.22 kauditd
775 root 20 0 328m 24m 17m S 0.0 0.9 0:03.28 sw-engine
776 root 20 0 117m 2632 1932 S 0.0 0.1 0:06.39 monit
1286 root 16 -4 27640 824 564 S 0.0 0.0 0:01.66 auditd
1313 root 20 0 243m 2200 1012 S 0.0 0.1 0:01.45 rsyslogd
1340 rpc 20 0 18976 892 640 S 0.0 0.0 0:00.25 rpcbind
1358 rpcuser 20 0 23348 1344 896 S 0.0 0.0 0:00.03 rpc.statd
1380 root 20 0 13580 948 768 S 0.0 0.0 0:08.16 lldpad
1415 root 20 0 45368 1472 296 S 0.0 0.0 0:00.00 sw-cp-serverd
1417 sw-cp-se 20 0 46520 4080 1700 S 0.0 0.1 0:03.07 sw-cp-serverd
1428 root 20 0 66608 1232 516 S 0.0 0.0 0:01.18 sshd
1437 root 20 0 22180 992 752 S 0.0 0.0 0:00.01 xinetd
1450 root 20 0 4068 496 400 S 0.0 0.0 0:00.00 courierlogger
1451 root 20 0 30296 1416 1044 S 0.0 0.0 0:00.02 authdaemond
1456 root 20 0 30296 480 108 S 0.0 0.0 0:00.00 authdaemond
1457 root 20 0 30296 480 108 S 0.0 0.0 0:00.00 authdaemond
1458 root 20 0 30296 480 108 S 0.0 0.0 0:00.00 authdaemond
1459 root 20 0 30296 480 108 S 0.0 0.0 0:00.00 authdaemond
1460 root 20 0 30296 480 108 S 0.0 0.0 0:00.00 authdaemond
1464 root 20 0 4068 380 300 S 0.0 0.0 0:00.00 courierlogger
1465 root 20 0 11904 888 752 S 0.0 0.0 0:00.01 couriertcpd
1473 root 20 0 4068 384 300 S 0.0 0.0 0:00.00 courierlogger
1474 root 20 0 11904 892 752 S 0.0 0.0 0:00.01 couriertcpd
1481 root 20 0 4068 384 300 S 0.0 0.0 0:00.00 courierlogger
1482 root 20 0 11904 884 752 S 0.0 0.0 0:00.01 couriertcpd
1490 root 20 0 4068 380 300 S 0.0 0.0 0:00.00 courierlogger
1491 root 20 0 11904 884 752 S 0.0 0.0 0:00.01 couriertcpd
1502 postfix 20 0 392m 1620 1084 S 0.0 0.1 0:03.37 psa-pc-remote
1529 root 20 0 333m 7820 936 S 0.0 0.3 0:00.25 sw-engine-fpm
1565 root 20 0 11304 1472 1220 S 0.0 0.0 0:00.01 mysqld_safe
1670 mysql 20 0 693m 46m 7272 S 0.0 1.6 1:08.61 mysqld
1743 named 20 0 230m 19m 2552 S 0.0 0.7 0:00.17 named
1986 root 20 0 341m 26m 5252 S 0.0 0.9 0:07.96 sw-engine
1995 root 20 0 528m 2892 968 S 0.0 0.1 0:50.02 sw-collectd
2009 root 20 0 114m 1288 644 S 0.0 0.0 0:00.60 crond
2034 root 20 0 4064 576 496 S 0.0 0.0 0:00.00 mingetty
2036 root 20 0 4064 572 496 S 0.0 0.0 0:00.00 mingetty
2038 root 20 0 4064 580 496 S 0.0 0.0 0:00.00 mingetty
2040 root 20 0 4064 576 496 S 0.0 0.0 0:00.00 mingetty
2042 root 20 0 4064 576 496 S 0.0 0.0 0:00.00 mingetty
2044 root 20 0 4064 572 496 S 0.0 0.0 0:00.00 mingetty
17396 root 20 0 58260 2800 2052 S 0.0 0.1 0:08.26 master
17399 postfix 20 0 58504 2912 2160 S 0.0 0.1 0:04.34 qmgr
17402 postfix 20 0 58340 2816 2096 S 0.0 0.1 0:00.01 tlsmgr
17763 root 20 0 329m 20m 9m S 0.0 0.7 0:02.00 httpd
17765 apache 20 0 229m 6280 476 S 0.0 0.2 0:00.84 httpd
17766 apache 20 0 335m 21m 4960 S 0.0 0.8 0:00.34 httpd
17767 apache 20 0 377m 62m 6064 S 0.0 2.2 0:01.02 httpd
17768 apache 20 0 377m 63m 4676 S 0.0 2.2 0:01.61 httpd
17769 apache 20 0 377m 63m 5936 S 0.0 2.2 0:02.29 httpd
17770 apache 20 0 368m 54m 5928 S 0.0 1.9 0:02.71 httpd
17771 apache 20 0 373m 59m 4484 S 0.0 2.1 0:03.94 httpd
17772 apache 20 0 360m 46m 4888 S 0.0 1.6 0:01.34 httpd
17773 apache 20 0 377m 64m 4892 S 0.0 2.2 0:03.70 httpd
17895 apache 20 0 373m 59m 4676 S 0.0 2.1 0:01.91 httpd
17896 apache 20 0 340m 25m 4316 S 0.0 0.9 0:01.10 httpd
17897 apache 20 0 338m 23m 4408 S 0.0 0.8 0:00.33 httpd
17898 apache 20 0 379m 64m 5844 S 0.0 2.2 0:02.13 httpd
17899 apache 20 0 368m 54m 6028 S 0.0 1.9 0:03.05 httpd
17900 apache 20 0 377m 63m 5160 S 0.0 2.2 0:02.67 httpd
17901 apache 20 0 377m 62m 5908 S 0.0 2.2 0:02.38 httpd
17902 apache 20 0 379m 64m 5680 S 0.0 2.2 0:02.61 httpd
24725 apache 20 0 371m 56m 4360 S 0.0 2.0 0:00.76 httpd
24726 apache 20 0 381m 67m 4612 S 0.0 2.3 0:01.17 httpd
24727 apache 20 0 329m 12m 2160 S 0.0 0.4 0:00.00 httpd
25179 postfix 20 0 58340 2708 1996 S 0.0 0.1 0:00.00 pickup
25197 ftpmsiit 20 0 152m 5632 3180 S 0.0 0.2 0:00.10 in.proftpd
25203 root 20 0 15024 1180 880 R 0.0 0.0 0:00.00 top

 

ed anche email come queste

 

Please inspect this machine, because it may be infected. Scan log:
[01:00:08] Running Rootkit Hunter version 1.3.4 on ruggero
[01:00:08]
[01:00:08] Info: Start date is lun 23 giu 2014, 01.00.08, CEST
[01:00:08]
[01:00:08] Checking configuration file and command-line options...
[01:00:08] Info: Detected operating system is 'Linux'
[01:00:08] Info: Uname output is 'Linux ruggero.local 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed May 7 23:32:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux'
........................................................
.......................................................

[01:03:19] System checks summary
[01:03:20] =====================
[01:03:20]
[01:03:20] File properties checks...
[01:03:20] Required commands check failed
[01:03:20] Files checked: 122
[01:03:20] Suspect files: 3
[01:03:20]
[01:03:20] Rootkit checks...
[01:03:20] Rootkits checked : 114
[01:03:20] Possible rootkits: 0
[01:03:20]
[01:03:20] Applications checks...
[01:03:20] Applications checked: 7
[01:03:20] Suspect applications: 1
[01:03:20]
[01:03:20] The system checks took: 2 minutes and 41 seconds

 

 

 


 

Secondo voi è un problema di configurazione del server? Magento? Avete dea di come e se è possibile sistemare?

Grazie!

Imac 21,5" - 3.20 Ghz Intel Core i3

4GB 13333 DDR3 - 1Tb hd

Link al commento
Condividi su altri siti

Archiviato

Questa discussione è archiviata e chiusa a future risposte.

Vai alla lista discussioni
×
×
  • Crea Nuovo...