From owner-freebsd-security@FreeBSD.ORG Sun Sep 28 16:59:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BAC116A4B3 for ; Sun, 28 Sep 2003 16:59:43 -0700 (PDT) Received: from astra.telenet-ops.be (astra.telenet-ops.be [195.130.132.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id D601444031 for ; Sun, 28 Sep 2003 16:59:41 -0700 (PDT) (envelope-from philip@paeps.cx) Received: from localhost (localhost.localdomain [127.0.0.1]) by astra.telenet-ops.be (Postfix) with SMTP id 54EDE37EE1 for ; Mon, 29 Sep 2003 01:59:40 +0200 (MEST) Received: from fortuna.home.paeps.cx (D576865A.kabel.telenet.be [213.118.134.90]) by astra.telenet-ops.be (Postfix) with ESMTP id 4290337EB5 for ; Mon, 29 Sep 2003 01:59:40 +0200 (MEST) Received: from hermes.home.paeps.cx (hermes.home.paeps.cx [10.0.0.4]) by fortuna.home.paeps.cx (Postfix) with ESMTP id 179BD20EE for ; Mon, 29 Sep 2003 01:59:40 +0200 (CEST) Received: by hermes.home.paeps.cx (Postfix, from userid 1001) id 77D0456; Mon, 29 Sep 2003 01:59:39 +0200 (CEST) Date: Mon, 29 Sep 2003 01:59:39 +0200 From: Philip Paeps To: security@freebsd.org Message-ID: <20030928235939.GH629@hermes.home.paeps.cx> Mail-Followup-To: security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Date-in-Rome: ante diem V Kalendas Octobres MMDCCLVI ab Urbe Condida X-PGP-Fingerprint: FA74 3C27 91A6 79D5 F6D3 FC53 BF4B D0E6 049D B879 X-Message-Flag: Get a proper mailclient! Mutt: User-Agent: Mutt/1.5.4i Subject: Apache under attack and eating resources? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Sep 2003 23:59:43 -0000 This might be more related to an Apache-security list, but as the machine is running FreeBSD, I thought I'd ask here first. In the last two weeks, I've been seeing some very strange errors in my logs a few times daily around the same times. While this happens, load averages go through the roof (I've seen 36+, which is outragous), and the machine becomes very unresponsive. First there's a few million of these: httpd in free(): warning: recursive call Many megs of logfiles, in fact, then, suddenly, I get some that yell: httpd in malloc(): warning: recursive call Those are followed closely by: [Mon Sep 29 01:10:57 2003] [notice] child pid 88809 exit signal Segmentation fault (11) And then it repeats, frequently saying these as well: httpd in free(): warning: page is already free FATAL: emalloc(): Unable to allocate 40 bytes Allowed memory size of 8388608 bytes exhausted (tried to allocate 10 bytes) httpd in free(): warning: chunk is already free My logs are filling up with these, and I'm not sure where to look. Crossreferencing the times with vhost error logs and access logs isn't turning up anything spectacular. The loads around the times when this occurs aren't staggering either, so I'm thinking perhaps someone is DoS'ing my machine :-/ Has anyone else seen this problem recently? I found some posts in Google and other archives mentioning Apache going berzerk like this, but no real solutions. I have MaxClients set to 175, and Apache never complains about that being too low. I don't have any particular ulimits set, as the defaults always worked well. In fact, this is the first time I've ever seen a FreeBSD scream for resources without me sitting at it and torturing it myself. Any ideas? Thanks! - Philip [worried] -- Philip Paeps Please don't CC me, I am subscribed to the list. A real diplomat is one who can cut his neighbor's throat without having his neighbor notice it. -- Trygve Lie