-2

I'm having a very urgent problem. Suddenly today My Server can't send email, after i checked out the log turns out there are many errors from MySQL which says too many connections. I checked out my webmin and it shows CPU Usage 100%. When I go to Database Connections menu on Webmin it shows so many connections, very short timed and I cannot killed it.

54 vmail localhost:44792 vmail Sleep 00:00:04
55 vmail localhost:44794 vmail Sleep 00:00:04
56 vmail localhost:44796 vmail Sleep 00:00:04
57 vmail localhost:44798 vmail Sleep 00:00:04
58 vmail localhost:44800 vmail Sleep 00:00:04
59 vmail localhost:44801 vmail Sleep 00:00:04
60 vmail localhost:44804 vmail Sleep 00:00:04

Everytime I tried to kill the process it says "unknown thread id"

Am I hacked? Please help me, I'm panicking right now. What should I do now? I am currently running the server online with my MySQL Server stopped because it's the only way to reduce the CPU usage.

I'm currently running on ubuntu 15. Pleas help

pasaisea
  • 37
  • 1
  • 6
  • What evidence, other than 100% CPU, do you have to support your assumption that you've been hacked? What process(es) are consuming the CPU? What percentage of time is your system spending in `iowait`? – EEAA Apr 12 '16 at 15:18
  • 3
    Also, if you do suspect that your server is hacked, the only reasonable thing to do is to shut it down and rebuild from a known-good backup, and ensure that you've secured the server and patched any vulnerabilities before bringing it back online. – EEAA Apr 12 '16 at 15:19
  • Ok, I think I found the problem source for this MySQL Error too many connections problems. A source told me to do netstat -tan to check all incoming connections and I found 2 suspicious IP that repeatedly made attempt to connect to ports that I have never open. I used the Linux firewall to block those 2 IP and the problem solved. My Server CPU Load drops from 100% to 3% and the mysql error too many connections are gone. – pasaisea Apr 12 '16 at 17:51

1 Answers1

0

You are trying to kill the short-lived process, even if you managed to do that it wouldn't help. You need to determine where the source is. You can look at the logs for that, the logs for whatever might connect as vmail (dovecot maybe, or an apache phpmyadmin or webmail?). You can stop that process if you wish to stop the problem at the expense of stopping legitimate service.

Law29
  • 3,557
  • 1
  • 16
  • 28
  • When I checked the mail.log it says that email Apr 12 21:41:23 server postfix/proxymap[9378]: warning: connect to mysql server 127.0.0.1: Too many connections – pasaisea Apr 12 '16 at 15:25
  • 1
    You are not giving enough info and focusing on the symptoms instead of the causes. Stopping mysql decreased the CPU, I'll suppose that your mysql server was consuming all that CPU... so what is not working anymore (website, mail...)? Have you looked at the logs of your mysql and of all the things that could be connecting to your mysql? (Is your mysql firewalled from Internet?) If logs are big, have you compared to before your problems (number of lines per hour or per ten minutes is a good pointer towards trouble). This is basic troubleshooting we can't really help you with. – Law29 Apr 12 '16 at 15:59
  • Ok, I think I found the problem source for this MySQL Error too many connections problems. A source told me to do netstat -tan to check all incoming connections and I found 2 suspicious IP that repeatedly made attempt to connect to ports that I have never open. I used the Linux firewall to block those 2 IP and the problem solved. My Server CPU Load drops from 100% to 3% and the mysql error too many connections are gone. – pasaisea Apr 12 '16 at 16:35
  • You need to firewall off all the ports that you do not specifically need open; I cannot imagine that you need to be able to connect to mysql from the Internet. – Law29 Apr 12 '16 at 18:59