Sites froze up and I don't know why - would like to know why

vps

#1

Greetings,

Yesterday at around 2am, I noticed one of my sites froze up and stayed that way for 15 minutes or more. It had 503 errors and then later 500 errors. I tried restarting my Web VPS and that didn’t work. Suddenly all my sites went down. I visited one of smaller sites in my web browser and it had a MySQL “too many connections” error displayed. It was only then that I decided to also restart my MySQL VPS server and that seemed to fix the issue. This appears to be a rare one time thing, possibly a DDOS attack with all the connections maxed out?

Question: If my site freezes up on VPS (or DreamCompute in the future), where do I find the cause through Linux command line? Is there a particular log or diagnostic script somewhere that tells me the reason why a site is frozen? It is extremely important for me to not be in the dark if I have to manage my own server on DreamCompute, so I would like to learn how to go about this if it happens again in the future… Like how would Dreamhost figure out what happened and how to fix it if I had written a message to customer support?

Thanks
Kind regards


#2

Did you check the logs? They are located at /home/YourUserName/logs


#3

I saw the logs, there’s a whole bunch of them in there and some of them are huge. I’m not sure what I’m supposed to be looking for… Are these like traffic logs, or do they keep track of MySQL, networking and backend server issues?


#4

The HTTP 500 errors should show up in your error.log file. The error.log file shows errors for today. To look at a previous day open error.log.date. Date would be the date you want to look at, for example error.log.2016-01-24.


#5

Thanks for the help. I think I found the 500 errors. I’m seeing a lot of these type of errors for that day:

SQL Injection attempt? Found about 12 of these with different ARGS_NAMES parameters

[error] [client 36.76.46.231] ModSecurity: Access denied with code 418 (phase 1). Pattern match "\\.\\./etc/(?:passwd|shadow)" at ARGS_NAMES:YoZr=4241 AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd. [file "/dh/apache2/template/etc/mod_sec2/99_dreamhost_rules.conf"] [line "9"] [id "1980002"] [msg "passwd/shadow access"] [data "../etc/passwd"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.*******.com"] [uri "/search/"] [unique_id "VqDs9a3skeQAAEHDh38AAAAC"]

On a different website, I found this too:

I saved a copy of these results for this day in case Dreamhost wants to look at it. These errors are at the end of the Jan 21st error log, which would be about the right time on the West Coast.