I'm running a CentOS 6 server with Plesk 11.0.9 installed. It's only being used for dev purposes with only a couple vhosts running on it. All of the vhosts are using PHP - there are a few WordPress sites and Zend Framework 2 applications running. Up until a few months ago it was also running a high traffic WordPress site, but that's no longer the case.
This server has been running without problems for over a year. A few days ago I first started noticing 503 errors (Service Temporarily Unavailable) on accessing one of the vhosts from the web browser.
I logged on through ssh and noticed the load was a bit higher than I expected (nothing crazy though). All other vhosts using PHP also gave me the same error. The only vhost that was working normal was a Ruby on Rails app (Redmine).
I also did a netstat -napt and noticed many connections from two or three IP addresses. I checked their geographical location and after blocking them through iptables the problem seemed to have gone away.
Now it's a few days later and the same problem started popping up. I checked again through netstat and noticed that again a whole bunch of connections from only a handful of IP addresses were connected to Apache.
When I was digging deeper I noticed that some of those IP addresses were what looks to me like other servers (at least they're running Apache). I'm suspecting they are hacked servers and they're trying to use my server to send spam or some other type of evil.
I just blocked those new IP addresses in iptables and that seemed to have solved the problem for now again, but I want to solve the root of the problem.
So my questions are:
1) How can I find out to what vhost those clients are connected?
2) Why does Apache stop working with not that many client connections, when it used to serve thousands of visitors at the same time when that big site was still running on this server?
3) What could they possibly be using my server for? The first time it happened I thought that they found some leaking WordPress plugin to use to spam people, but today I checked and there's barely anything in the mail queue.
4) Any suggestions how to troubleshoot this?
Thanks in advance for any suggestions.
This server has been running without problems for over a year. A few days ago I first started noticing 503 errors (Service Temporarily Unavailable) on accessing one of the vhosts from the web browser.
I logged on through ssh and noticed the load was a bit higher than I expected (nothing crazy though). All other vhosts using PHP also gave me the same error. The only vhost that was working normal was a Ruby on Rails app (Redmine).
I also did a netstat -napt and noticed many connections from two or three IP addresses. I checked their geographical location and after blocking them through iptables the problem seemed to have gone away.
Now it's a few days later and the same problem started popping up. I checked again through netstat and noticed that again a whole bunch of connections from only a handful of IP addresses were connected to Apache.
When I was digging deeper I noticed that some of those IP addresses were what looks to me like other servers (at least they're running Apache). I'm suspecting they are hacked servers and they're trying to use my server to send spam or some other type of evil.
I just blocked those new IP addresses in iptables and that seemed to have solved the problem for now again, but I want to solve the root of the problem.
So my questions are:
1) How can I find out to what vhost those clients are connected?
2) Why does Apache stop working with not that many client connections, when it used to serve thousands of visitors at the same time when that big site was still running on this server?
3) What could they possibly be using my server for? The first time it happened I thought that they found some leaking WordPress plugin to use to spam people, but today I checked and there's barely anything in the mail queue.
4) Any suggestions how to troubleshoot this?
Thanks in advance for any suggestions.