Be Excellent To Each Other

Hi folks and folkesses,

My website, Eskimimi Makes, is having a bit of a hard time, recently. On a number of occasions since we have returned from our break the website keeps returning me a Resource Limit Exceeded error (508 error, I think).

I have checked my CPanel, under the resource usage, and get the following:

Resource Usage Overview
Your site has been limited within the past 24 hours

You have reached entry processes (number of simultaneously running php and cgi scripts, as well as cron jobs and shell sessions) limit 224 times.

[Details]

I can see on my CPanel that I am limited to 20 entry processes at any one time. Clicking to expand the details shows me some graphs, as so:



I have looked at the error log to see if I can find what is happening, but it is empty.

So, I googled around and the best advice I could see was to contact the host and ask for information on what scripts or pages were causing the issue. The first response I had from the host was, in full:
"Hello. Contact your script vendor and optimize the scripts whether it is causing the issue."

Brill.

I replied asking if they had any further advice on what scripts were causing the issue, as I had been told that my host was the best source for information as to where the issues might lie. I got a slightly more helpful reply this time:

"Hello,

I see your using wordpress, please disable any plugins your not using and it may be worth enabling some caching such as WP Super Cache."

I have taken this advice, though since this the number of times that the site has been limited in the past 24hrs has doubled, (which, of course, may be a coincidence).

But frankly I am stuck as to how to proceed, now. I don't think that the host (UKHost4U, which is the one that Russell had recommended as he's found them to be OK) will be much further help, and I feel completely stuck as to how to help improve things, and it's getting me a bit flummoxedly down. Does anyone have any ideas or advice, I'm pretty much at a dead end.

Hello! Cpanel WHM owner here.

I was going to ask if you hosted Wordpress before I read it and can tell you the cause. You're sort of being DDoSed, in that an IP is super spamming connections to your Wordpress scripts which can spawn a zillion Apache processes, which temporarily causes high server load.

Very temporarily. I get alerts of this occurring to most of my Wordpress installs. I'm not 100% sure what the objective is, it's possibly a malicious but random attempt to compromise you installation by trying something on all your scripts at once, but it goes quickly.

A decent cpanel host will run LFD and mod security with rules to ban the IP automatically when detected.


There's nothing you can do to stop the activity, but maybe find a more competent or understanding host.

Ok last post was on my phone, I'll try to reply a little better:

If you were able to access the Apache Status of your hosting server as the 'attack' was happening, you'd see open connections from the same IP, usually about 20-30, sometimes more, to every Wordpress script (and associated image resource and whatnot) on your installation. Sometimes it's a huge number of attempts on just your wp-login page.

Basically it's very easy to find Wordpress installations and compromise them if either your script permissions are slack, or you have a plugin that's compromised. Sometimes it's a simple brute on the login page.

I have specific mod_security rules to block such attempts in my firewall, but they need to trigger first so I very often get 'Excessive processes running' emails warning me about it. They're a flash in the pan in terms of resource usage, so aside from being annoying they're not actually kicking the server over.

Read the general article on Hardening Wordpress, and I can also greatly recommend installing the Two-Factor Authentication Plugin (I use this one for general extra security.

If you're unhappy at your host and want to move with another with Cpanel, the receiving host should be able to do an automagic migration of your existing account with just your existing username and password (WHM has very nice transfer settings for this kind of thing). Zero faff and basically the only thing you need to change is the DNS.

I've had the same problem this week, and it's because of malicious activity on xmlrpc.php in WordPress - likely to be a similar issue.

I'm surprised by the response from your host - they should have been able to tell this easily from the access logs and could have offered advice/reassurance instead of a generic BS response.

Thank you, both, for the advice and also reassurance that I am not losing it (from the advice of the host I have disabled everything down to the barebones to disable as many scripts as I could at once and it hasn't improved the situation one jot.

EBJ: you said that the attacks were brief - do you mean in terms of them lasting a few seconds at a time or lasting a day or two? Looking on my stats this seems to have started about 2.5-3 weeks ago, and have been sustained since, so it is nearly a month since the issues started up.

The host has been of little use or support, which is really disappointing. I shall go back to them with the advice and queries raised by your responses and see if they are willing to give me any more information or support, because quite a few times I have gone to load my site now and am getting the error page, and if I am experiencing it then so are visitors.

I mean the processes spawned by the attack usually die by themselves quite quickly (less than a minute) but the way the server reports it, it will see that your user is running all of those processes simultaneously.

Your host has set limits in its apache config to limit you to that number of simultaneous processes. Unluckily in the event of a flash attack (or even just a sudden surge of visits if the limit is low enough) this will trip the limit and you'll get that error.

I don't think there's much your host will do, as the setting for this limit is usually server-wide and despite the fact this kind of Wordpress spam-attack thingy is pretty well known, they'll say it's not their responsibility. I suppose that's technically true, but they also seem ignorant to the actual cause.

If they were running LFD (a great Cpanel firewall), they could set it to auto-kill the processes when it hits the limit. That might terminate the connection temporarily to a legitimate user if they were mid page-load, but more likely it would just clear out the silly spam processes and your site could continue as normal.

Oh, I don't suppose that they'll lift the limits because, as you put well, they'll be server-wide and the standard limits, but I would have hoped that they could have just given a little support in identifying if it was a script on my site causing the issue, or if I was getting hit from a particular IP repeatedly and to have given just a few words of advice in how to best deal with this, but the first response, at least, was just 'not our problem'. Not their problem, fair enough, but they might have the information to be able to assist and help one of their customers. I don't know if i can access the information to see where this is coming from to perhaps help stop it.

I don't think you will. The default logging will just track number of processes rather than a historic list of what and when.

Even if you could see this info, it wouldn't help you fix it. The server should be auto-banning IPs that engage in spammy activity (no IP should be hammering a site 20 times in less than 5 seconds, say) and there's very little you can do at your level to help.

My Wordpress goes through stages of attacks like this, sometimes I'll have 5 in a day, and then none for two weeks. Really you want a host that is wise to the problem and has intelligent measures to both protect their server while keeping your site up. Perhaps these guys are just a bit thick, or too lazy/indifferent to do anything other than tell you it's your problem.

Just doing some reading here. Assuming your host runs CloudLinux and their resource usage is enforced using LVE manager, then these limits WILL be applied on a per package basis.

This means that theoretically they could up the limit for whatever package your website is on.