PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

29703 named 16 0 3408 3408 2252 R 6.7 0.0 0:04.01 /usr/sbin/named -u named
29704 named 16 0 3408 3408 2252 R 6.4 0.0 0:04.03 /usr/sbin/named -u named
29706 named 9 0 3408 3408 2252 S 0.6 0.0 0:00.33 /usr/sbin/named -u named


The CPU used on it used to be more, until I brought it down. But these processes are none stop on running with at least 5 - 25% of CPU each.

The load on the server stays around 2 or higher because of this.

since these loads, I have also seen that my Bandwidth has rised from 8 GB to 125 GB in 3 days... it started 3 days ago.

Is this attack on my DNS server? It is wasting all of my bandwidth!

I checked up every client and nobody has used that much :-\

What can I do?

-Joshua

Not sure about named, but you may want to check your Fantastico install. I have read a few posts about huge bandwidth increases lately being related to exploiting through Fantastico. I don't know if it's related, just an idea.

I would submit a support ticket if you are really concerned.

There is also a new fantastico version out today.
cd /var/netenberg then find ./ -user nobody

Info (http://www.netenberg.com/forum/viewtopic.php?t=3399)

ok, I did that command and found it all nobodys in the ./archives/fantastico_de_luxe/Templates_Express folders

?

I am going to have to shut down the server soon, because bandwidth is getting to its limit. :(

I think that probably means the fantastico folders have been compromised and are probably being used as a file dump. I'm just basically repeating what I have read and am not saying that is what has happened. When I ran that it did not find anything set as nobody, but I did a fresh install of fantastico anyway and added the mod_sec rules.

Now we just need to see if we can upgrade.

ok, I am currently upgradeing fantastico.

Also, when I go into WHM, and click on the Addon mod security, it shows up a blank page. why?

Hmm.. not sure about mod_sec. I did not install mine through WHM. Have you had any errors on the upgrade?

Actually it froze on me. I have not been able to get into WHM yet, I get an error.

Same here bud... this is not good

Ok.. looks like mine is eaten up too now. Just a few hours ago find ./ -user nobody found nothing. It now looks like they are all screwed.

I can't even get fantastico admin to load in WHM now! Ouch

oh wait. I looked in shell, my cpanel is updateing.

I think powervps staff are updating it, although I just updated it yesterday. :-\

LOL.. I see that too. I'm guessing it's support. I hope it is :)

Actually, it could be fantastico doing it??

Well, someone is doing something to fantastico and it's not me :) Just waiting for it to stop to see if I can get to WHM admin.

I got in.. and now it says this:

It appears this is your first time using Web Host Manager ®. This wizard will guide you though setting up your server.

I am running out of bandwidth. I sure feel sorry for all my clients when I have to tell them that I will have to shut their website down until next month.

I am going to lose everyone :(

wonder whats happening there with your VPSes. Did you even create a support ticket yet? Dont think support would do anything with any VPS without an open ticket

yea, I have submitted three tickets on three different issues

This was the first recent thread I read after logging in and didnt realise wat was going on....now i know the issue a bit.
Good luck to you both to come out of this issue asap

....is there an easy way to just simply uninstall Fantastico? Seems to me that might be a much simpler option, unless you really need it..