Over several weeks I've had warning emails about exceeding my CPU allowance on the shared server my site sits on. Every time I try to fix it, it happens again. I could really use some help with what I need to be looking for. Today I got a final warning and they will suspend my account by 19th July if I can't fix it
First I found a couple of IPs that were top of my list and had been reported as malicious in stopforumspam.com, so I blocked them via the IP Deny in my Cpanel.
When it happened again, my hosting provider told me to check my top 10 list of urls for scripts and disable them one by one. The thing is, the CPU becomes excessive say once a week or fortnight - not regularly, so it's hard to tell if any measures have been effective. So I disabled Moodle and everything was ok for a short time, then I got another warning.
My forum was around no.2 on the list of hits, and since it's hardly used anyway looked like a good culprit, I moved it to another folder. The hits went down of course but the CPU went up again some days later. I installed another forum (kunena, it's a Joomla 1.5 site) but disabled it shortly after after another warning.
I have also cleaned out unwanted mods that I've accumulated over the years.
Now my top 10 URL list is plain old html pages, but I got another warning this morning! I found another IP at the top of the list which came up with a warning when I googled it, so I blocked that one (from Ukraine), but I can't seen how I can know in advance which IPs are going to try and attack me, and therefore prevent my CPU usage going up. I've installed a mod via Joomla which connects with stopforumspam.com, but one of the IPs I found recently was on their list but still got into my site. I can't sit watching my access logs 24/7 just in case, so what can a girl do?!
I downloaded my raw access logs today (advice of my hosting provider) and looked at them both in Word and with weblog expert. Although I've figured out what all the info means, I'm having trouble interpreting whether it's showing me normal or malicious usage. Some questions:
1. my raw access logs show things like each bit of .png that makes up my template - is that normal? Some pages seem to have a huge number of hits by the same IP at the same time - is that always suspicious? Is there some specific kind of pattern to look for? (What are these people trying to do anyway?!)
2. My list of referrers includes some very odd things which have no connection with my subject matter. When I visit their site there is no mention on the page of my website, even when I view the page source and do a search for my website name, nothing shows up - so how can they be referrers? Is this suspicious?
Is there anything else I can do to a) track down what's causing the problem and/or b) put preventive measures in place?
Many, many many thanks in advance.