[Solved] dosprn.com suspended

[dosprn]

Unexpectedly, my account was disabled due to exceeding the 24 hour limit of 100 GB memory or 10,000 CPU. I think that there was some error because my sites do not perform complex calculations and a large number of requests on the Internet. There have been no such incidents over the past years. Please unlock my account so I can check what might have happened and prevent it from happening in the future.

[wolstech]

Your load is through the roof (the cliff on the right is you getting suspended). If your site doesn't do anything heavy, it's probably being attacked. Please fix the issue quickly. If the load continues you'll be resuspended.

Unsuspended.

[dosprn]

thank you very much. I'll look around the problem asap

[dosprn]

Can I watch the CPU load from my Plesk account and/or can I determine which process was taking up 100% of the resource?

[wolstech]

It's the memory usage that was the issue, not the CPU.

You can watch your account's load chart here: https://heliohost.org/dashboard/load/ but there isn't any way to see specific processes. Krydos might be able to get you that information if you really need it.

[dosprn]

Thank you again. Unfortunately at this time, I cannot determine what could have caused the overload.

My account doesn't run any ongoing or scheduled processes (except for daily account backups configured in Plesk).
I also found no traces of suspicious activity in the logs.

I will monitor the level of memory usage and contact you for help if this level unexpectedly reaches 100% again. Now, as far as I can see, it is within 20-40%.

[dosprn]

I apologize for the inconvenience, but my account is disabled again due to High Load. I really need your help to find out the cause of this problem.

My account does not have any continuously running processes that could use a large amount of RAM. There are only a few PHP scripts that perform single MYSQL commands by HTTPS requests. The tables are optimized for these requests and should not load the system.

After the previous incident, I looked through the logs and did not find any hint of the cause of the problem, and the memory usage was constantly at the level of 20-30Mb.

Maybe there is an attack on my website that causes an unexpected increase in memory usage, but since I can't see the processes that are taking up too much memory, I can't find a way to solve the problem.

Please unblock the account and help me solve the problem.

[wolstech]

Krydos can help with this.

[dosprn]

1 minute ago, wolstech said:

Krydos can help with this.

Thank you very much.

What should be done now?

Can you unblock the account and give Krydos a look at what's going on?

Do I need to contact Krydos separately myself?

[wolstech]

It's been escalated (you posted while I was still working on escalating it).

He'll take a look when he sees it.

[wolstech]

Krydos finally checked on this for me. You're being hit by bots.

|        0 |     0.70 | [php-cgi] <defunct>                                                           |
| 18596720 |    28.60 | /opt/plesk/php/8.0/bin/php-cgi -c /home/system/check.dosprn.com/etc/php.ini   |
| 54039980 |    47.00 | /opt/plesk/php/8.0/bin/php-cgi -c /home/system/version.dosprn.com/etc/php.ini |

Specifically, this IP address hit your site 4422 times:

69.162.124.238

 

I would suggest logging IPs and/or reviewing your logs and blocking abusive bots in .htaccess. I blocked this one for you on both the check and version domains and unsuspended you.

Please let me know if you need anything else.

[dosprn]

Thank you very much for your support.

I will try to check the logs as often as possible and block suspicious bots.

But such an attack can start unexpectedly during non-working hours, and after half a day the site can be blocked again.

Is there any way to set up an alert that will send a warning e-mail in case of overload? This would make it possible to quickly respond to such attacks.

[Krydos]

On 10/14/2024 at 11:10 AM, dosprn said:

Is there any way to set up an alert that will send a warning e-mail in case of overload?

We plan on adding a 90% load warning email soon. Basically if you get to 90% of your memory or CPU usage for the day you'll get an email letting you know about it prior to being suspended.

[dosprn]

I regularly check the resource usage of my account and found that during the last 8 hours I have an overload of RAM.

Before that, I carefully reviewed all the logs and denied access to all suspicious bots in .htaccess.

After that, I disabled access to my service subdomains and the CPU load dropped to 0.

But despite this, I still get 70-80MB of RAM usage.

This will inevitably lead to the blocking of my account after a few hours, although I cannot influence the situation in any way.

Please help me to solve the problem.

[wolstech]

It just dropped to basically 0 in the past half hour looking at the chart now. Site seems to be working, so guessing you blocked another bot?

EDIT: Looks like you put a deny from all on the version subdomain it looks like and your load evaporated. Sounds like something is beating on that too much. I'm not sure how many copies of your software are out there, but if all those requests are the app checking for updates, you may want to consider just using static update version data files (i.e. let app download a plain INI or something instead of calling a PHP script, and have app compare versions locally).