Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Random cPanel CPU Spikes
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Random cPanel CPU Spikes

agoldenbergagoldenberg Member, Host Rep

Hey Guys

I'm noticing a weird issue with my cPanel vm.

For some reason at around 10:30pm est my cpu spikes to over 100% for about 20 minutes.

All I host are a few Wordpress sites. Any ideas what the cause may be?

When I run top all I see is a few users with php running high cpu percentage.

But believe me when I say this. Not one of the sites I hosthas anything other than Wordpress running and the clients know nothing about php.

«1

Comments

  • It's not weird. Wordpress can very well spike up server load easily if there's a lot of visitors or if the client installs a lot of Wordpress plugins. CloudLinux can help you set a limit for this.

  • I notice spikes on a few wordpress sites I host when some of the auto-backup scripts come into play.

  • check Configure cPanel Cron Jobs at first menu tab in whm and your VM / Server time... There is major cpanel update to 11.46 and upcp is done around 1:20 am... If your sever is in Europe or set time some EU time zones it can mach with the time you mentioned... and 1 cpu easily can go to 100% pecent when upcp is running

  • qpsqps Member, Host Rep
    edited November 2014

    Check what time your cPanel stats updates run.

  • @agoldenberg said:
    All I host are a few Wordpress sites. Any ideas what the cause may be?

    When I run top all I see is a few users with php running high cpu percentage.

    Do you see what PHP script is running? If it's wordpress page most likely from traffic, for example some bot unrealistically crawls every single page of your users website. If it's wp-login.php most likely brute force attempts, or see if it's from certain plugins that could be very heavy.

  • Check top to see which process is doing that.

    Faced ksoftirqd/0 process in near past & it was due to client's mobile broken website.

  • wychwych Member
    edited November 2014

    stat updates/backup runs at that time?

    What process is racking up the load?

  • If it's the cpanel cron jobs/backups running don't worry about them, they should be running at a lower priority so everything else won't slow down.

  • AmitzAmitz Member
    edited November 2014

    Do a

    grep -R "wp-login.php" /usr/local/apache/domlogs/* | grep "POST" | awk -F: '{ print $2 }' |  wk '{print $1}' | sort | uniq -c | sort -n   
    

    I bet someone is brute-forcing the Wordpress login page. The command above will show you the IP of the 'brute forcer' and the number of login attempts.

  • agoldenbergagoldenberg Member, Host Rep

    @Amitz here's the output:

    1 146.0.73.133
          1 146.0.74.170
          1 146.0.74.206
          1 174.36.211.101
          1 184.144.101.85
          1 198.46.82.33
          1 207.34.252.17
          1 24.150.133.201
          1 46.118.28.223
          1 46.39.75.212
          1 50.87.131.168
          1 5.39.216.2
          1 5.39.219.25
          1 62.109.21.69
          1 62.38.222.67
          2 141.105.66.179
          2 146.0.73.132
          2 146.0.73.134
          2 146.0.73.135
          2 146.0.73.15
          2 146.0.74.202
          2 146.0.74.208
          2 193.106.32.251
          2 195.162.69.58
          2 195.242.80.23
          2 24.212.152.112
          2 5.39.218.37
          2 91.236.120.87
          2 99.246.181.220
          3 146.0.74.204
          3 146.0.78.8
          3 146.0.78.9
          3 183.88.233.159
          3 46.148.31.112
          3 80.31.162.43
          3 82.146.32.138
          4 23.95.22.29
          4 83.235.169.6
          4 91.200.12.18
          4 94.249.192.112
          5 193.104.41.186
          5 39.48.188.66
          5 79.129.13.169
          6 134.255.160.140
          6 178.137.34.183
          6 199.126.33.134
          8 193.201.224.36
          9 188.163.83.243
         11 87.244.165.54
         12 5.133.63.104
         12 62.204.105.144
         16 124.122.150.155
         23 37.239.46.2
         28 149.255.255.242
         29 37.239.46.10
         31 37.239.46.18
         34 116.58.248.203
         34 88.97.33.235
         36 84.45.215.63
         38 110.78.147.130
         40 117.169.1.131
         46 85.110.24.61
         47 87.245.177.27
         54 188.232.78.180
         54 206.78.38.10
         54 210.245.49.69
         54 78.62.104.231
         54 85.49.69.223
         60 62.210.78.197
        108 190.40.14.135
        118 178.47.129.46
        120 62.210.148.172
        124 91.200.12.52
        214 193.201.224.128
        400 120.37.227.123
        400 140.237.12.97
        753 93.170.131.120
       2367 195.154.235.55
    
  • agoldenbergagoldenberg Member, Host Rep

    I blocked that last IP in CPHulk but the number keeps going up. I dunno what else to do.

  • Dang! That's quite a lot of attempts!

  • AmitzAmitz Member
    edited November 2014

    If you have CSF installed, try it with
    csf -d 195.154.235.55
    That ALWAYS works for me.

    I am not sure whether CPHulk can help here. By the way: I have this on a daily basis. A whole core saturated by one IP trying to brute force wp-login.php.

  • agoldenbergagoldenberg Member, Host Rep

    @Amitz I have no idea how to configure CSF. I have it installed and have tried a couple times but all that ends up happening is I end up blocking all traffic.

    Thanked by 1linuxthefish
  • agoldenbergagoldenberg Member, Host Rep

    @Amitz just dropped the massive offenders using IPTables.

    Thanked by 1Amitz
  • AmitzAmitz Member
    edited November 2014

    It is quite easy, especially using cPanel. You should give it a try again. I am also willing to help you as much as I can... It should also be well possible using some mod_security rules for Apache, but this is something that I never made experiences with...

  • AmitzAmitz Member
    edited November 2014

    agoldenberg said:

    @Amitz just dropped the massive offenders using IPTables.

    That does the job equally well. CSF would do nothing else in the end! The annoying thing: It will happen again tomorrow and probably from a new IP. You can stop it this way, but doing this every day is not a pleasure. There are several options that you could look at:

    http://codex.wordpress.org/Brute_Force_Attacks

  • I tried this. It does not help against the high load. The fu**ing bot just goes on. You need a solution that blocks the offending IP on network level, unfortunately.

  • wychwych Member
    edited November 2014

    Doesnt fail2ban have a WP Plugin?

    https://wordpress.org/plugins/wp-fail2ban/

  • Password protect your wplogin with http auth so it's not using so much CPU when people try to brute force it.

  • agoldenbergagoldenberg Member, Host Rep

    Yeah see I host other people. These sites aren't mine so it would be a problem to password protect all the logins for each wordpress site.

  • @linuxthefish @agoldenberg A shared host one of my clients uses did this for wp-login.php:

    They were just getting hammered, and this cut down on pretty much all automated attacks.

  • geekalotgeekalot Member
    edited November 2014

    @agoldenberg: CSF + Fail2ban (custom rules) are a good combination to mitigate brute-forcing.

  • agoldenbergagoldenberg Member, Host Rep

    @mikeyur again this would be at the descretion of each individual client. They all get hammered. These f***ing wordpress brute force script kiddies just hammer every instance of wordpress they find. I host a few high traffic sites and see brute force attempts through cphulk every few minutes.

  • cphulk only records login attempts to the server, like SSH or cPanel login. It's not gonna help with WordPress/script level brutes.

    iptables should do it as mentioned, and on user level you can block the IP using .htaccess or IP Deny Manager.

  • Or fail2ban...

    Thanked by 1DalComp
  • xDutchyxDutchy Member
    edited November 2014

    (Custom) fail2ban rule looking for posts to wp-login.php should do the trick

    Edit: or use the plugin @wych linked

  • Or fail2ban...
    (if you can make the user install it)

  • @mikeyur said:
    linuxthefish agoldenberg A shared host one of my clients uses did this for wp-login.php:

    They were just getting hammered, and this cut down on pretty much all automated attacks.

    This! Try that out because I was also having one of my servers absolutely hammered by wp-login attacks the past few weeks and after adding an auth login to each wordpress wp-login page I am no longer getting any attacks (and the ones that tried there was hardly a blip on cpu usage). It really does work.

Sign In or Register to comment.