TCP SYN Double on HTTP Access - tcp

while analyzing my network HTTP traffic I found, a single request http:// shows two connection. I used a netfilter module to log TCP sequence. I tried to visit a simple apache's "It Works!" default page.
A single request initiated two connection with sport 35156 and 35157 to dport 80.
Could any explain why I see two connection for a single request?
Is it possible to get rid of this?
Is there chance of malware presence?
kern.log
May 8 17:19:19 vmdsk01 kernel: [185735.888978] |SYN
May 8 17:19:19 vmdsk01 kernel: [185735.888992] eth0:(192.168.2.168):35478 --> <NULL>:(192.168.2.169):80 SEQ:4133841020 ACK:0
May 8 17:19:19 vmdsk01 kernel: [185735.889045] |SYN
May 8 17:19:19 vmdsk01 kernel: [185735.889052] |ACK
May 8 17:19:19 vmdsk01 kernel: [185735.889060] <NULL>:(192.168.2.169):80 --> eth0:(192.168.2.168):35478 SEQ:3372377752 ACK:4133841021
May 8 17:19:19 vmdsk01 kernel: [185735.889225] |SYN
May 8 17:19:19 vmdsk01 kernel: [185735.889235] eth0:(192.168.2.168):35479 --> <NULL>:(192.168.2.169):80 SEQ:376871724 ACK:0
May 8 17:19:19 vmdsk01 kernel: [185735.889258] |SYN
May 8 17:19:19 vmdsk01 kernel: [185735.889264] |ACK
May 8 17:19:19 vmdsk01 kernel: [185735.889273] <NULL>:(192.168.2.169):80 --> eth0:(192.168.2.168):35479 SEQ:3375376005 ACK:376871725
May 8 17:19:19 vmdsk01 kernel: [185735.889387] |ACK
May 8 17:19:19 vmdsk01 kernel: [185735.889397] eth0:(192.168.2.168):35478 --> <NULL>:(192.168.2.169):80 SEQ:4133841021 ACK:3372377753
May 8 17:19:19 vmdsk01 kernel: [185735.889424] |ACK
May 8 17:19:19 vmdsk01 kernel: [185735.889432] eth0:(192.168.2.168):35479 --> <NULL>:(192.168.2.169):80 SEQ:376871725 ACK:3375376006
May 8 17:19:19 vmdsk01 kernel: [185735.890359] |ACK
May 8 17:19:19 vmdsk01 kernel: [185735.890370] eth0:(192.168.2.168):35478 --> <NULL>:(192.168.2.169):80 SEQ:4133841021 ACK:3372377753
May 8 17:19:19 vmdsk01 kernel: [185735.890411] |ACK
May 8 17:19:19 vmdsk01 kernel: [185735.890420] <NULL>:(192.168.2.169):80 --> eth0:(192.168.2.168):35478 SEQ:3372377753 ACK:4133841473
May 8 17:19:19 vmdsk01 kernel: [185735.891155] |ACK
May 8 17:19:19 vmdsk01 kernel: [185735.891193] <NULL>:(192.168.2.169):80 --> eth0:(192.168.2.168):35478 SEQ:3372377753 ACK:4133841473
May 8 17:19:19 vmdsk01 kernel: [185735.891351] |ACK
May 8 17:19:23 vmdsk01 kernel: [185735.891360] eth0:(192.168.2.168):35478 --> <NULL>:(192.168.2.169):80 SEQ:4133841473 ACK:3372377963
May 8 17:19:23 vmdsk01 kernel: [185739.880282] |SYN
May 8 17:19:23 vmdsk01 kernel: [185739.880291] |ACK
May 8 17:19:23 vmdsk01 kernel: [185739.880312] <NULL>:(192.168.2.169):80 --> eth0:(192.168.2.168):35479 SEQ:3375376005 ACK:376871725
May 8 17:19:23 vmdsk01 kernel: [185739.880492] |ACK
May 8 17:19:33 vmdsk01 kernel: [185739.880502] eth0:(192.168.2.168):35479 --> <NULL>:(192.168.2.169):80 SEQ:376871725 ACK:3375376006
May 8 17:19:33 vmdsk01 kernel: [185749.890397] FIN
May 8 17:19:33 vmdsk01 kernel: [185749.890409] |ACK
May 8 17:19:33 vmdsk01 kernel: [185749.890420] <NULL>:(192.168.2.169):80 --> eth0:(192.168.2.168):35479 SEQ:3375376006 ACK:376871725
May 8 17:19:33 vmdsk01 kernel: [185749.923800] |ACK
May 8 17:19:34 vmdsk01 kernel: [185749.923805] eth0:(192.168.2.168):35479 --> <NULL>:(192.168.2.169):80 SEQ:376871725 ACK:3375376007
May 8 17:19:34 vmdsk01 kernel: [185750.903428] FIN
May 8 17:19:34 vmdsk01 kernel: [185750.903440] |ACK
May 8 17:19:34 vmdsk01 kernel: [185750.903450] <NULL>:(192.168.2.169):80 --> eth0:(192.168.2.168):35478 SEQ:3372377963 ACK:4133841473
May 8 17:19:34 vmdsk01 kernel: [185750.931508] |ACK
May 8 17:19:35 vmdsk01 kernel: [185750.931519] eth0:(192.168.2.168):35478 --> <NULL>:(192.168.2.169):80 SEQ:4133841473 ACK:3372377964
May 8 17:19:35 vmdsk01 kernel: [185751.666526] FIN
May 8 17:19:35 vmdsk01 kernel: [185751.666536] |ACK
May 8 17:19:35 vmdsk01 kernel: [185751.666546] eth0:(192.168.2.168):35479 --> <NULL>:(192.168.2.169):80 SEQ:376871725 ACK:3375376007
May 8 17:19:35 vmdsk01 kernel: [185751.666572] |ACK
May 8 17:19:35 vmdsk01 kernel: [185751.666581] <NULL>:(192.168.2.169):80 --> eth0:(192.168.2.168):35479 SEQ:3375376007 ACK:376871726
May 8 17:19:35 vmdsk01 kernel: [185751.666725] FIN
May 8 17:19:35 vmdsk01 kernel: [185751.666732] |ACK
May 8 17:19:35 vmdsk01 kernel: [185751.666741] eth0:(192.168.2.168):35478 --> <NULL>:(192.168.2.169):80 SEQ:4133841473 ACK:3372377964
May 8 17:19:35 vmdsk01 kernel: [185751.666757] |ACK

Related

AWK - getting the min date/time on a computed command output

I'm running a command to get the below output:
bash-3.2$ /usr/g1_listuser
Licensed(UDT+CP)/Effective Udt Sql iPhtm Pooled Total
( 25 + 2 ) / 27 5 0 0 0 5
UDTNO USRNBR UID USRNAME USRTYPE TTY TIME DATE
1 14310 10889 webspher phantom none 08:46:13 Feb 16 2017
2 8327 10889 webspher phantom none 23:45:21 Feb 15 2017
6 26704 30797 t576278 udt pts/1 04:21:29 Feb 16 2017
7 8735 10889 webspher phantom none 23:45:25 Feb 15 2017
8 29590 10889 webspher phantom none 03:34:29 Feb 16 2017
9 29340 10889 webspher phantom none 09:47:34 Feb 16 2017
10 28627 10889 webspher phantom none 09:47:19 Feb 16 2017
11 9850 10889 webspher phantom none 23:45:41 Feb 15 2017
12 28805 10889 webspher phantom none 09:47:24 Feb 16 2017
13 8957 10889 webspher phantom none 23:45:29 Feb 15 2017
14 3487 10889 webspher phantom none 09:47:20 Feb 14 2017
15 24327 32027 p101468 udt pts/3 15:00:12 Feb 15 2017
16 29631 10889 webspher phantom none 09:47:38 Feb 16 2017
18 9644 10889 webspher phantom none 23:45:36 Feb 15 2017
20 29073 10889 webspher phantom none 03:34:25 Feb 16 2017
21 29838 10889 webspher phantom none 03:34:33 Feb 16 2017
22 26728 10889 webspher udt none 08:00:18 Feb 13 2017
23 21835 10889 webspher phantom none 02:00:42 Feb 16 2017
25 12188 10889 webspher phantom none 08:45:33 Feb 16 2017
26 1138 10889 webspher phantom none 03:34:47 Feb 16 2017
27 21458 10889 webspher phantom none 02:00:37 Feb 16 2017
28 20834 10889 webspher phantom none 02:00:29 Feb 16 2017
29 20961 10889 webspher phantom none 02:00:32 Feb 16 2017
30 1561 10889 webspher phantom none 03:34:51 Feb 16 2017
31 7668 10889 webspher phantom none 04:02:21 Feb 16 2017
32 20998 10889 webspher phantom none 02:00:33 Feb 16 2017
33 21461 10889 webspher phantom none 02:00:37 Feb 16 2017
41 10980 10889 webspher udt none 09:00:39 Feb 13 2017
42 3276 10889 webspher phantom none 04:00:43 Feb 16 2017
43 12985 10889 webspher udt none 04:07:30 Feb 15 2017
The result I'm trying to get is a count per USRNAME and min date/time associated, I built the below command:
/usr/g1_listuser | grep -v 'Licensed' | grep -v '(' | grep -v 'UDTNO' | awk 'BEGIN {FS=OFS=SUBSEP=" "}{arr[$4]+=1;date=$7$8$9$10;min_date="999999999";if(min_date>date){min_date=date};}END {for (i in arr) if (i != null) print i,min_date,arr[i];}'
That output the below:
webspher 31
p101468 1
t576278 1
Which doesn't display the date and time properly. Any help is welcome.
Machine: sun4u sparc 5.10 Generic_150400-32

running `mtr` network diagnostic tool in the background like `nohup` processes

mtr is a great tool for debugging the network packet losses. Here i sample mtr output.
My traceroute [v0.85]
myserver.com (0.0.0.0) Thu Jan 19 04:10:04 2017
Resolver: Received error response 2. (server failure)er of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 192.168.104.23 0.0% 11 0.6 0.6 0.5 0.8 0.0
2. machine1.com 0.0% 11 8.5 12.4 2.0 20.5 5.5
3. mchine2.org.com 0.0% 11 1.2 1.0 0.8 1.8 0.0
4. machine3.orgcom 0.0% 11 0.8 0.9 0.7 1.1 0.0
However while running mtr on the server, you can't log-off the server.
I need mtr to output to a textfile and run in background similar to nohup command.
I should also be able to look into the report, something like using tail -f on the output file.

mtr offers -r option, which puts mtr into report mode. In this mode, mtr will run for the number of cycles specified by the -c option then print statistics and exit. So we can create a script to run the command and put the script to cron entries on your schedule. For example:
/usr/sbin/mtr -r -c 2 www.google.com >> /home/mtr.log
Cron entry, run every minute:
* * * * * sh /path/to/script
Then you can tail -f on the output file.

If systemd is used
┌──[root#vms81.liruilongs.github.io]-[~]
└─$systemd-run --on-calendar=*:*:00 --unit mtr-print-log --slice mtr /usr/sbin/mtr -r -b 192.168.29.154
Running timer as unit mtr-print-log.timer.
Will run service as unit mtr-print-log.service.
Viewing mtr logs
┌──[root#vms81.liruilongs.github.io]-[~]
└─$journalctl -u mtr-print-log.service
-- Logs begin at 六 2022-12-24 21:56:02 CST, end at 六 2022-12-24 22:10:19 CST. --
12月 24 22:07:00 vms81.liruilongs.github.io systemd[1]: Started /usr/sbin/mtr -r -b 192.168.29.154.
12月 24 22:07:14 vms81.liruilongs.github.io mtr[15427]: Start: Sat Dec 24 22:07:00 2022
12月 24 22:07:14 vms81.liruilongs.github.io mtr[15427]: HOST: vms81.liruilongs.github.io Loss% Snt Last Avg Best Wrst StDev
12月 24 22:07:14 vms81.liruilongs.github.io mtr[15427]: 1.|-- gateway (192.168.26.2) 0.0% 10 0.4 0.3 0.2 0.5 0.0
12月 24 22:07:14 vms81.liruilongs.github.io mtr[15427]: 2.|-- 192.168.29.154 0.0% 10 1.5 0.9 0.7 1.5 0.0
12月 24 22:08:00 vms81.liruilongs.github.io systemd[1]: Started /usr/sbin/mtr -r -b 192.168.29.154.
12月 24 22:08:14 vms81.liruilongs.github.io mtr[16400]: Start: Sat Dec 24 22:08:00 2022
12月 24 22:08:14 vms81.liruilongs.github.io mtr[16400]: HOST: vms81.liruilongs.github.io Loss% Snt Last Avg Best Wrst StDev
12月 24 22:08:14 vms81.liruilongs.github.io mtr[16400]: 1.|-- gateway (192.168.26.2) 0.0% 10 0.3 0.3 0.2 0.4 0.0
12月 24 22:08:14 vms81.liruilongs.github.io mtr[16400]: 2.|-- 192.168.29.154 0.0% 10 1.0 1.0 0.7 1.4 0.0
12月 24 22:09:00 vms81.liruilongs.github.io systemd[1]: Started /usr/sbin/mtr -r -b 192.168.29.154.
12月 24 22:09:14 vms81.liruilongs.github.io mtr[17411]: Start: Sat Dec 24 22:09:00 2022
12月 24 22:09:14 vms81.liruilongs.github.io mtr[17411]: HOST: vms81.liruilongs.github.io Loss% Snt Last Avg Best Wrst StDev
12月 24 22:09:14 vms81.liruilongs.github.io mtr[17411]: 1.|-- gateway (192.168.26.2) 0.0% 10 0.3 0.3 0.3 0.5 0.0
12月 24 22:09:14 vms81.liruilongs.github.io mtr[17411]: 2.|-- 192.168.29.154 0.0% 10 0.9 0.9 0.7 1.3 0.0
If you only want to see the output and the execution time, you can.
┌──[root#vms81.liruilongs.github.io]-[~]
└─$journalctl -u mtr-print-log.service -o cat | tail -n 10
Started /usr/sbin/mtr -r -b 192.168.29.154.
Start: Sat Dec 24 22:13:00 2022
HOST: vms81.liruilongs.github.io Loss% Snt Last Avg Best Wrst StDev
1.|-- gateway (192.168.26.2) 0.0% 10 0.2 0.3 0.2 0.5 0.0
2.|-- 192.168.29.154 0.0% 10 0.8 0.8 0.7 1.1 0.0
Started /usr/sbin/mtr -r -b 192.168.29.154.
Start: Sat Dec 24 22:14:00 2022
HOST: vms81.liruilongs.github.io Loss% Snt Last Avg Best Wrst StDev
1.|-- gateway (192.168.26.2) 0.0% 10 0.3 0.3 0.2 0.4 0.0
2.|-- 192.168.29.154 0.0% 10 0.9 0.8 0.7 1.0 0.0
Delete mtr process
┌──[root#vms81.liruilongs.github.io]-[~]
└─$systemctl stop mtr-print-log.timer
┌──[root#vms81.liruilongs.github.io]-[~]
└─$systemctl is-active mtr-print-log.service
unknown

How to read file with a specific format in R?

I'd like to read a file where each line represents a dataset containing date, some text as well as numbers. Example:
Fri Dec 11 12:40:01 CET 2015 Uptime: 108491 Threads: 2 Questions: 576603 Slow queries: 10 Opens: 2238 Flush tables: 1 Open tables: 7 Queries per second avg: 5.314
Fri Dec 11 12:50:01 CET 2015 Uptime: 109090 Threads: 2 Questions: 580407 Slow queries: 10 Opens: 2253 Flush tables: 1 Open tables: 6 Queries per second avg: 5.320
Fri Dec 11 13:00:01 CET 2015 Uptime: 109690 Threads: 2 Questions: 583895 Slow queries: 10 Opens: 2268 Flush tables: 1 Open tables: 8 Queries per second avg: 5.323
Fri Dec 11 13:10:01 CET 2015 Uptime: 110290 Threads: 1 Questions: 586891 Slow queries: 10 Opens: 2279 Flush tables: 1 Open tables: 6 Queries per second avg: 5.321
Fri Dec 11 13:20:01 CET 2015 Uptime: 110890 Threads: 2 Questions: 590871 Slow queries: 10 Opens: 2292 Flush tables: 1 Open tables: 5 Queries per second avg: 5.328
There is no general separating character (like in CSV), but the format can be described pretty good, since tabs, charcters and Text can be used.
%DATESTRING%\tUptime: %uptime% Threads: %threads% Questions: %questions% Slow queries: %slow% Opens: %opens% Flush tables: %flush% Open tables: %otables% Queries per second avg: %qps%
Is there a function that takes the description of the format and the file and fills a data.frame with the given data.?

The packages tidyr has some utility functions that may be useful for this, although I wouldn't be surprised if there were more special-purpose tools built for this job.
We start by loading the data, in this case from a string
raw <- 'Fri Dec 11 12:40:01 CET 2015 Uptime: 108491 Threads: 2 Questions: 576603 Slow queries: 10 Opens: 2238 Flush tables: 1 Open tables: 7 Queries per second avg: 5.314
Fri Dec 11 12:50:01 CET 2015 Uptime: 109090 Threads: 2 Questions: 580407 Slow queries: 10 Opens: 2253 Flush tables: 1 Open tables: 6 Queries per second avg: 5.320
Fri Dec 11 13:00:01 CET 2015 Uptime: 109690 Threads: 2 Questions: 583895 Slow queries: 10 Opens: 2268 Flush tables: 1 Open tables: 8 Queries per second avg: 5.323
Fri Dec 11 13:10:01 CET 2015 Uptime: 110290 Threads: 1 Questions: 586891 Slow queries: 10 Opens: 2279 Flush tables: 1 Open tables: 6 Queries per second avg: 5.321
Fri Dec 11 13:20:01 CET 2015 Uptime: 110890 Threads: 2 Questions: 590871 Slow queries: 10 Opens: 2292 Flush tables: 1 Open tables: 5 Queries per second avg: 5.328'
df <- read.csv(textConnection(raw), header=F)
Here I've used read.csv so that I get it as a data frame, but you could also just use readLines and add it to a frame yourself.
Then we process it
library(tidyr)
> processed <- df %>% extract(V1,
c("Date", "Uptime", "Threads", "Questions"),
"(.*) *Uptime: (\\d+) *Threads: (\\d+) *Questions: (\\d+)")
> processed
Date Uptime Threads Questions
1 Fri Dec 11 12:40:01 CET 2015 108491 2 576603
2 Fri Dec 11 12:50:01 CET 2015 109090 2 580407
3 Fri Dec 11 13:00:01 CET 2015 109690 2 583895
4 Fri Dec 11 13:10:01 CET 2015 110290 1 586891
5 Fri Dec 11 13:20:01 CET 2015 110890 2 590871
It should be clear how to extract the remaining columns from here.

Two more options:
txt <- "Fri Dec 11 12:40:01 CET 2015 Uptime: 108491 Threads: 2 Questions: 576603 Slow queries: 10 Opens: 2238 Flush tables: 1 Open tables: 7 Queries per second avg: 5.314
Fri Dec 11 12:50:01 CET 2015 Uptime: 109090 Threads: 2 Questions: 580407 Slow queries: 10 Opens: 2253 Flush tables: 1 Open tables: 6 Queries per second avg: 5.320
Fri Dec 11 13:00:01 CET 2015 Uptime: 109690 Threads: 2 Questions: 583895 Slow queries: 10 Opens: 2268 Flush tables: 1 Open tables: 8 Queries per second avg: 5.323
Fri Dec 11 13:10:01 CET 2015 Uptime: 110290 Threads: 1 Questions: 586891 Slow queries: 10 Opens: 2279 Flush tables: 1 Open tables: 6 Queries per second avg: 5.321
Fri Dec 11 13:20:01 CET 2015 Uptime: 110890 Threads: 2 Questions: 590871 Slow queries: 10 Opens: 2292 Flush tables: 1 Open tables: 5 Queries per second avg: 5.328"
## first just tack on the date label
txt <- gsub('^', 'Date: ', readLines(textConnection(txt)))
option 1
sp <- strsplit(txt, '\\s{2,}')
out <- lapply(sp, function(x) gsub('([\\w ]+:)\\s+(.*)$', '\\2', x, perl = TRUE))
dd <- setNames(do.call('rbind.data.frame', out),
gsub('([\\w ]+):\\s+(.*)$', '\\1', sp[[1]], perl = TRUE))
dd[, -1] <- lapply(dd[, -1], function(x) as.numeric(as.character(x)))
dd
option 2: This one uses the yaml package but is much more straight-forward and does the type conversion for you
yml <- gsub('\\s{2,}', '\n', txt)
do.call('rbind.data.frame', lapply(yml, yaml::yaml.load))
# Date Uptime Threads Questions Slow queries Opens Flush tables
# 1 Fri Dec 11 12:40:01 CET 2015 108491 2 576603 10 2238 1
# 2 Fri Dec 11 12:50:01 CET 2015 109090 2 580407 10 2253 1
# 3 Fri Dec 11 13:00:01 CET 2015 109690 2 583895 10 2268 1
# 4 Fri Dec 11 13:10:01 CET 2015 110290 1 586891 10 2279 1
# 5 Fri Dec 11 13:20:01 CET 2015 110890 2 590871 10 2292 1
# Open tables Queries per second avg
# 1 7 5.314
# 2 6 5.320
# 3 8 5.323
# 4 6 5.321
# 5 5 5.328

configure error on FreeBSD

I git clone the newest ECL and do the following:
$./configure --prefix=/home/***/ecl
...
configure: error: Oops, mp_limb_t is 32 bits, but the assembler code
in this configuration expects 64 bits.
You appear to have set $CFLAGS, perhaps you also need to tell GMP the
intended ABI, see "ABI and ISA" in the manual.
configure: error: Failed to configure the GMP library.
$ls -l /usr/local/lib/libgmp*
-rw-r--r-- 1 root wheel 790194 9 11 14:04 /usr/local/lib/libgmp.a
-rwxr-xr-x 1 root wheel 907 9 11 14:04 /usr/local/lib/libgmp.la*
lrwxr-xr-x 1 root wheel 12 9 11 14:04 /usr/local/lib/libgmp.so# -> libgmp.so.10
-rwxr-xr-x 1 root wheel 434419 9 11 14:04 /usr/local/lib/libgmp.so.10*
-rw-r--r-- 1 root wheel 29292 9 11 14:04 /usr/local/lib/libgmpxx.a
-rwxr-xr-x 1 root wheel 943 9 11 14:04 /usr/local/lib/libgmpxx.la*
lrwxr-xr-x 1 root wheel 13 9 11 14:04 /usr/local/lib/libgmpxx.so# -> libgmpxx.so
.6
-rwxr-xr-x 1 root wheel 21092 9 11 14:04 /usr/local/lib/libgmpxx.so.6*
Regards !

Thousands of instances of index.php opening at the same time

Suddenly my hosting account has been suspended due to thousands of instances of index.php opening at the same time.
The site is built around the latest version of Wordpress and bbpress. here's the email from the hosting company:
*Action Taken: Please be aware we have suspended this account at this
time in order to maintain the
reliability and integrity of the
server. Reason: Thousands of
instances of index.php opening at the
same time:
17270 myserver 15 0 268m 79m 52m R
17.5 2.0 0:00.38 /usr/bin/php /home/myserver/public_html/index.php 17287 myserver 16 0 268m 34m 8712 R
14.4 0.9 0:00.35 /usr/bin/php /home/myserver/public_html/index.php 17332 myserver 15 0 213m 26m 7680 S
12.9 0.7 0:00.17 /usr/bin/php /home/myserver/public_html/index.php 17276 myserver 16 0 283m 40m 7912 R
12.1 1.0 0:00.33 /usr/bin/php /home/myserver/public_html/index.php 17336 myserver 17 0 213m 26m 7680 S
12.1 0.7 0:00.16 /usr/bin/php /home/myserver/public_html/index.php 17341 myserver 18 0 213m 26m 7680 S
12.1 0.7 0:00.16 /usr/bin/php /home/myserver/public_html/index.php 17343 myserver 16 0 213m 26m 7680 S
12.1 0.7 0:00.16 /usr/bin/php /home/myserver/public_html/index.php 17339 myserver 17 0 213m 26m 7680 S
11.4 0.7 0:00.15 /usr/bin/php /home/myserver/public_html/index.php 17344 myserver 17 0 213m 26m 7680 S
11.4 0.7 0:00.15 /usr/bin/php /home/myserver/public_html/index.php 17347 myserver 17 0 213m 26m 7680 S
11.4 0.7 0:00.15 /usr/bin/php /home/myserver/public_html/index.php 17351 myserver 16 0 213m 26m 7680 S
11.4 0.7 0:00.15 /usr/bin/php /home/myserver/public_html/index.php 17353 myserver 17 0 213m 26m 7680 S
11.4 0.7 0:00.15 /usr/bin/php /home/myserver/public_html/index.php 17364 myserver 17 0 213m 26m 7680 S
11.4 0.7 0:00.15 /usr/bin/php /home/myserver/public_html/index.php 17368 myserver 17 0 209m 23m 7388 R
10.6 0.6 0:00.14 /usr/bin/php /home/myserver/public_html/index.php 17278 myserver 16 0 283m 40m 7896 R
9.9 1.0 0:00.28 /usr/bin/php /home/myserver/public_html/index.php*
They have just emailed this too:
it is possible that your forum script is being abused if it is not secured or it has some security whole, but we can't provide more information as we do not know how it is coded.
Please check and let us know if you have any further questions.
Any ideas at what's going on?

You may have gotten DoS'd.

exactly what dav said or for some reason you are getting an insane load... to prevent that from happening again, you can cache your wordpress using a plugin like supercache to create some semi static pages, filter spam comments pre-reload. Because every single page load = loading index.php.

Seems the problem is with sites getting indexed all at once especially from crawlers like Yandex/Baidu who load up multiple pages at once
every page load via bot is another instance of index.php opening - so if you have 2000 pages on the site and they get indexed all at once - this is what you get
You can try to add the below to your robox.txt (might or might not work)
User-agent: *
Crawl-Delay: 30
Disallow: /wp-admin/
User-agent: Yandex
Crawl-Delay: 30
User-agent: Baidu
Crawl-Delay: 30
or just block IP's of crawlers (100% guarantee)

Resources