MySQL problems after hacking/restore

[SECTalk.com]

Hey guys,

So we got hacked the other day. Actually, it was just a member who somehow got an admins password, and went in ACP and started deleting members. So I restored the members table from the backup from the previous night. Everything is fine now except the server is being weird.

Right after I restored the backup table, the server load was going over 50 and causing the site to be inaccessible for 10-15 minutes out of every hour.

Since then, our tech support company has made tweaks to MySQL, and the server load averages from 2-5 (it used to be 0.2 to 0.7 before the incident), occasionally going over 5 and making the community inaccessible due to the ACP setting where the site displays the not available message over 5 server load.

Also, the error log has a lot of "Error: 2006 - MySQL server has gone away" messages.

Any ideas?

[Rhett]

Is this a dedicated server, VPS pr shared hosting?

[Royzee]

Sounds like someone might be trying to find your login credentials.

If you have WHM, use Security Center >> cPHulk Brute Force Protection, and enable cPHulk protection if not on. Tighten it up a bit. Mine is set to ban for a month after 3 failed SSH attempts.
If you don't have WHM, but have server root access add Fail2Ban which is essentially the same as cPHulk without the graphical interface.

[SECTalk.com]

Hey guys, yeah we have a dedicated server with WHM.

I also opened a ticket, and Ryan made these changes which have helped quite a bit. We are still looking into it to figure out what is going on, but this may help some folks in the future:

[color=#282828][font=helvetica, arial, sans-serif][size=3]I did, however, take the amount of results returned on searches down from 1,000 to 200... that might help a bit. I also set "My Content" searches back to 365 days, rather than your current 10000.[/size][/font][/color]

[color=#282828][font=helvetica, arial, sans-serif][size=3]Okay, I also disabled the "Most Active In" feature for profiles. That is very resource intensive, and is actually removed in IPB 3.3.[/size][/font][/color]