Server Load Problems : Urgent Help Required

[Crazy4]

I recently installed a server for the company I work for (Linux, CentOS)

I installed ldf and csf and memcached.

I keep getting emails to my inbox like:

lfd on xxxx.com: High 5 minute load average alert - 8.28
lfd on xxxx.com: Excessive resource usage: rpcuser (2108
lfd on xxxx.com: Excessive resource usage: avahi (2948)
lfd on xxxx.com: Excessive resource usage: rpc (2079)
lfd on xxxx.com: Suspicious process running under user avahi
lfd on xxxx.com: Suspicious process running under user rpcuser

Also, when I check the sessions to httpd and mySQL they are high and the site is inaccessible.

Awaiting some help!

 

[xmsax]

This can be a lot of thing.

Can you give me the input of this command *via SSH /root* and your servers specs?

netstat -nt | grep ':80 ' | awk '{print $6}' | sort | uniq -c

 

[Crazy4]

I checked the recent connections mate. Its not a attack or something.

Only 2 IPs connected to the server.

Thanks for ur reply

 

[xmsax]

I checked the recent connections mate. Its not a attack or something.

Only 2 IPs connected to the server.

Thanks for ur reply

Ok and what is the suspicious files running from those email and also what the email say about high usage for these users?

 

[Crazy4]

Time: Fri Aug 28 06:05:34 2009 -0400
1 Min Load Avg: 10.27
5 Min Load Avg: 8.90
15 Min Load Avg: 9.55
Running/Total Processes: 9/203

Time: Fri Aug 28 06:01:30 2009 -0400
PID: 2947
Account: avahi
Uptime: 74582 seconds


Executable:

/usr/sbin/avahi-daemon


Command Line (often faked in exploits):

avahi-daemon: running [xxxxx.local]


Network connections by the process (if any):

udp: 0.0.0.0:5353 -> 0.0.0.0:0
udp6: 0.0.0.0:5353 -> 0.0.0.0:0
udp: 0.0.0.0:59613 -> 0.0.0.0:0
udp6: 0.0.0.0:50387 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null


Memory maps by the process (if any):

00110000-00119000 r-xp 00000000 08:01 31457380 /lib/libnss_files-2.5.so
00119000-0011a000 r-xp 00008000 08:01 31457380 /lib/libnss_files-2.5.so
0011a000-0011b000 rwxp 00009000 08:01 31457380 /lib/libnss_files-2.5.so
0019f000-001b9000 r-xp 00000000 08:01 31457383 /lib/ld-2.5.so
001b9000-001ba000 r-xp 00019000 08:01 31457383 /lib/ld-2.5.so
001ba000-001bb000 rwxp 0001a000 08:01 31457383 /lib/ld-2.5.so
001c2000-00300000 r-xp 00000000 08:01 31458186 /lib/libc-2.5.so
00300000-00302000 r-xp 0013e000 08:01 31458186 /lib/libc-2.5.so
00302000-00303000 rwxp 00140000 08:01 31458186 /lib/libc-2.5.so
00303000-00306000 rwxp 00303000 00:00 0
00308000-0030a000 r-xp 00000000 08:01 31458197 /lib/libdl-2.5.so
0030a000-0030b000 r-xp 00001000 08:01 31458197 /lib/libdl-2.5.so
0030b000-0030c000 rwxp 00002000 08:01 31458197 /lib/libdl-2.5.so
0030e000-00321000 r-xp 00000000 08:01 31458200 /lib/libpthread-2.5.so
00321000-00322000 r-xp 00012000 08:01 31458200 /lib/libpthread-2.5.so
00322000-00323000 rwxp 00013000 08:01 31458200 /lib/libpthread-2.5.so
00323000-00325000 rwxp 00323000 00:00 0
00327000-0032b000 r-xp 00000000 08:01 54447987 /usr/lib/libdaemon.so.0.2.4
0032b000-0032c000 rwxp 00003000 08:01 54447987 /usr/lib/libdaemon.so.0.2.4
0032c000-0032d000 rwxp 0032c000 00:00 0
0032f000-0033a000 r-xp 00000000 08:01 54448010 /usr/lib/libavahi-common.so.3.4.3
0033a000-0033b000 rwxp 0000a000 08:01 54448010 /usr/lib/libavahi-common.so.3.4.3
0033d000-00371000 r-xp 00000000 08:01 54449813 /usr/lib/libavahi-core.so.4.0.5
00371000-00372000 rwxp 00033000 08:01 54449813 /usr/lib/libavahi-core.so.4.0.5
003c3000-003c6000 r-xp 00000000 08:01 31457302 /lib/libcap.so.1.10
003c6000-003c7000 rwxp 00002000 08:01 31457302 /lib/libcap.so.1.10
004aa000-004c9000 r-xp 00000000 08:01 31458212 /lib/libexpat.so.0.5.0
004c9000-004cb000 rwxp 0001e000 08:01 31458212 /lib/libexpat.so.0.5.0
00526000-00563000 r-xp 00000000 08:01 31458211 /lib/libdbus-1.so.3.4.0
00563000-00565000 rwxp 0003c000 08:01 31458211 /lib/libdbus-1.so.3.4.0
00fab000-00fac000 r-xp 00fab000 00:00 0 [vdso]
08048000-08061000 r-xp 00000000 08:01 54513176 /usr/sbin/avahi-daemon
08061000-08064000 rw-p 00018000 08:01 54513176 /usr/sbin/avahi-daemon
08dd6000-08df7000 rw-p 08dd6000 00:00 0 [heap]
b7f10000-b7f13000 rw-p b7f10000 00:00 0
bf8e4000-bf8f9000 rw-p bffea000 00:00 0 [stack]

 

[Crazy4]

Account: rpcuser
Resource: Process Time
Exceeded: 3683 > 1800 (seconds)
Executable: /sbin/rpc.statd
Command Line: rpc.statd
PID: 2083
Killed: No

 

[Crazy4]

any help please?