Over several weeks I've had warning emails about exceeding my CPU allowance on the shared server my site sits on. Every time I try to fix it, it happens again. I could really use some help with what I need to be looking for. Today I got a final warning and they will suspend my account by 19th July if I can't fix it

First I found a couple of IPs that were top of my list and had been reported as malicious in stopforumspam.com, so I blocked them via the IP Deny in my Cpanel.

When it happened again, my hosting provider told me to check my top 10 list of urls for scripts and disable them one by one. The thing is, the CPU becomes excessive say once a week or fortnight - not regularly, so it's hard to tell if any measures have been effective. So I disabled Moodle and everything was ok for a short time, then I got another warning.

My forum was around no.2 on the list of hits, and since it's hardly used anyway looked like a good culprit, I moved it to another folder. The hits went down of course but the CPU went up again some days later. I installed another forum (kunena, it's a Joomla 1.5 site) but disabled it shortly after after another warning.

I have also cleaned out unwanted mods that I've accumulated over the years.

Now my top 10 URL list is plain old html pages, but I got another warning this morning! I found another IP at the top of the list which came up with a warning when I googled it, so I blocked that one (from Ukraine), but I can't seen how I can know in advance which IPs are going to try and attack me, and therefore prevent my CPU usage going up. I've installed a mod via Joomla which connects with stopforumspam.com, but one of the IPs I found recently was on their list but still got into my site. I can't sit watching my access logs 24/7 just in case, so what can a girl do?!

I downloaded my raw access logs today (advice of my hosting provider) and looked at them both in Word and with weblog expert. Although I've figured out what all the info means, I'm having trouble interpreting whether it's showing me normal or malicious usage. Some questions:

1. my raw access logs show things like each bit of .png that makes up my template - is that normal? Some pages seem to have a huge number of hits by the same IP at the same time - is that always suspicious? Is there some specific kind of pattern to look for? (What are these people trying to do anyway?!)

2. My list of referrers includes some very odd things which have no connection with my subject matter. When I visit their site there is no mention on the page of my website, even when I view the page source and do a search for my website name, nothing shows up - so how can they be referrers? Is this suspicious?

Is there anything else I can do to a) track down what's causing the problem and/or b) put preventive measures in place?

Many, many many thanks in advance.

Quote:

so how can they be referrers? Is this suspicious?

It's called referrer spam, and it's done because logs and page referrers are often made public so they get a link or maybe a clickthrough from them

Quote:

my raw access logs show things like each bit of .png that makes up my template

Yep, that is what makes up the 'hits', every single element on your document is requested seperately from the server.

On a shared server it is almost impossible to isolate the cause of CPU spikes, as they will only be logged as runing in the user context.

I run Joomla and Kunena but do not see any heavy CPU usage from that site user, in fact it rarely goes above 4% per CPU (16 CPUs) - 64% total.

What shared hosts usually do in their CPU time calcs is just take the total value especially if they are overselling.
I'd say it's time to look for a host that isn't overloading their servers.

Is it possible that my traffic is just too much, or is it more likely to be something malicious do you think?

I am allowed "the maximum allowed CPU time which your account (SuperPro) can use in 100% load of one processor, for 24 hours is 20 minutes for 24 hours" (I find that hard to understand tbh!)

My cpu usage yesterday:


and the details:


I can't make a lot of sense of that - I can see the %, but how much CPU have I got then and is it a particularly stingy amount?

These are my stats for the last 2 weeks:


Hits
Total Hits 1,298,580
Visitor Hits 1,263,119
Spider Hits 35,461
Average Hits per Day 92,755
Average Hits per Visitor 43.34
Cached Requests 67,534
Failed Requests 30,474
Page Views
Total Page Views 115,138
Average Page Views per Day 8,224
Average Page Views per Visitor 3.95
Visitors
Total Visitors 29,146
Average Visitors per Day 2,081
Total Unique IPs 18,498
Bandwidth
Total Bandwidth 17.21 GB
Visitor Bandwidth 15.14 GB
Spider Bandwidth 2.07 GB
Average Bandwidth per Day 1.23 GB
Average Bandwidth per Hit 13.89 KB
Average Bandwidth per Visitor 544.57 KB

Malicious? probably not, but without seeing the access logs to correlate them to the CPU spikes it's impossible to say yay or nay to that.

With a average of 2k visits per day you are reaching the limits of the mass market shared hosting and/or the "unlimited/unmetered" hosting providers.
The Joomla "home page" can create some "impressive" instant CPU spiking because of the way it instantiates all the php objects and classes, so if you are getting a lot of traffic to or via the root url that could be were the CPU usage is coming from.

We have several hosting clients who are using Joomla! so often see CPU spikes in the process logs for index.php but because we will upgrade our dedi boxes or VMs when server load starts to affect performance it's never a problem. For us or our clients.

Oh! and 20mins in 24hours seems a bit *****rdly for a burst allowance.

Though they might be running low spec hardware, or with a smallish number of CPUs.

Ok apparently you can't say nig gardly despite it being a perfectly correct ENGLISH word meaining

stingy or grudgingly given

Which has ABSOLUTELY NO racial implications whatsoever.

Must be a Northern word... Not head that one "Down Sowuf" Lol! Although I'm sure "meaining" isn't in the English language?!

Could be a Geordie word, or maybe a fat fingered typnig eruur.

You are definitely using up to the upper threshold of your plan. I think their complaining is a hint that you need or should upgrade your plan to something more accommodating.

Thanks for the replies!

Yes they have said all along that by upgrading I would have more CPU space and therefore solve the problem, but they were also suggesting that I could "fix" the problem by finding and stopping any malicious IPs and/or optimizing my site. If they had simply said to me "you've hit the limit for your traffic" I would have upgraded straight away, but instead they have had me delving through all kinds of logs looking for clues to something that might not even exist! Anyway, yesterday was the deadline and they suspended me, but I've upgraded now & back online, so fingers crossed we will be ok for a while now.

Chris, I have never compared their hosting with elsewhere but if they are errr "stingy" ;-) with CPU it might be because they are cheap for a basic plan?

I went from £1.50 a month for this:
6555 MB space
65 GB Bandwidth
50 mailboxes
1 Add-on Domain
15 MySQL v.4 and 5
100 subdomains
15 FTP users
PHP / Perl / Python

to £3.90 a month for this:
37,555 MB space
3755 GB traffic
500 mailboxes
29 Add-on Domain
45 MySQL v.4 and 5
500 subdomains
45 FTP users
SSH access
PHP / Perl / Python

They don't make any mention of CPU allowance in the package details

PS I once got an email from an irate visitor telling me that it was outrageous that I was using the word "penalised" on a site used by children.

Given those prices and rather curious resource limits in the "packages", I would suspect the reason for the relatively low CPU time limits is that they are using older hardware that may have already served it's time as VMs or dedicated boxes and has been "put out to pasture" for using as cheap end hosting or "free" shared hosting.

It is what some of the big datacentre providers do to squeeze every penny/cent/lire/drachma/etc. from their hardware investment. If you delve deep enough into the hosting company hierarchy you will find that the "free hosts" are part of or a "trading name" of the bigger company. The package you are on now is the kind of VM setup that "free hosts" would be running, as making four or five quid a month from forced ads and/or "sponsors" is relatively easy.


You usually find CPU resource limits are buried in small print somewhere in the "techno-babble" of the ToS.

Quote:

PS I once got an email from an irate visitor telling me that it was outrageous that I was using the word "penalised" on a site used by children.

It's very curious why some people take offense at words that have no underlying connotations other than they read it incorrectly.

Quote:

Originally Posted by magicvw

I went from £1.50 a month for this:
6555 MB space
65 GB Bandwidth
50 mailboxes
1 Add-on Domain
15 MySQL v.4 and 5
100 subdomains
15 FTP users
PHP / Perl / Python

to £3.90 a month for this:
37,555 MB space
3755 GB traffic
500 mailboxes
29 Add-on Domain
45 MySQL v.4 and 5
500 subdomains
45 FTP users
SSH access
PHP / Perl / Python

That looks very limited to me. you should change host. if you google around you'll find some host at $6.99 (about £4.42) per month for unlimited space/traffic etc.. I even use such a host but can't tell here I would be marks as spammer...

Quote:

Originally Posted by magicvw

I have also cleaned out unwanted mods that I've accumulated over the years.

But you still have mods enabled though, right? It's more than likely due to one or more of them. Try disabling them one by one and checking your resource usage and you should be able to find the culprit.