From owner-freebsd-isp  Wed Mar 11 17:04:53 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA23011
          for freebsd-isp-outgoing; Wed, 11 Mar 1998 17:04:53 -0800 (PST)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from rustbelt.COM (rustbelt.com [156.46.92.70])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA22997
          for <isp@FreeBSD.ORG>; Wed, 11 Mar 1998 17:04:50 -0800 (PST)
          (envelope-from jeff-ml@mountin.net)
Received: (from daemon@localhost)
	by rustbelt.COM (8.8.7/8.8.7) id TAA00854;
	Wed, 11 Mar 1998 19:07:56 -0600 (CST)
	(envelope-from jeff-ml@mountin.net)
Received: from callufrax-13.isdn.mke.execpc.com(169.207.65.204) by rustbelt.com via smap (V1.3)
	id sma000852; Wed Mar 11 19:07:37 1998
Message-Id: <3.0.3.32.19980311190315.00752e34@156.46.92.70>
X-Sender: jeff-ml@156.46.92.70
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 11 Mar 1998 19:03:15 -0600
To: Kevin Day <toasty@home.dragondata.com>, dev@wopr.inetu.net (Dev)
From: "Jeffrey J. Mountin" <jeff-ml@mountin.net>
Subject: Re: Runaway web server.
Cc: isp@FreeBSD.ORG
In-Reply-To: <199803112304.RAA18688@home.dragondata.com>
References: <Pine.BSF.3.95q.980311174734.6707A-100000@wopr.inetu.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 05:04 PM 3/11/98 -0600, Kevin Day wrote:
>> 
>> We have a freebsd 2.2.5 server w/96 megs of ram
>> running 13 instances of apache. (each spawning
>> about 5-10 children).
>> 
>> it seems something triggers _all_ of the servers
>> to become in the run state. about 4 or 5 children
>> seem to be using about 8 mb of ram. it is very
>> hard to actually kill the processes. (not just
>> from lag, but the process not dying after being
>> sent a kill signal).
>> 
>> when trying to kill the session leader it does not
>> seem to die.
>> 
>> The servers get stuck in a "waiting for reply"
>> state and never seem to respond. This server has
>> been up for over 40 days running fine.
>> 
>> We have finally rebooted the machine, and after
>> about four hours it happened again. 
>> 
>> Anyone have any suggestions?
>> 
>
>Is this a somewhat old version of apache?

I've gotten 2 runaway children on 2.2.5 with both Apache 1.2.4 and 1.2.5 so far and both are the only instances I've ever encountered in over 10 years of server time on various servers.

>If so, someone's exploiting a bug...  adding a ton of /'s in a URL will
>cause apache to come to a crawl...

In either case there was nothing suspicious/malicious in the logs around the time of the runaways, but someone did try to exploit a bug of 1.2.4 (or earlier?) with an invalid URL that was _really_ long, which didn't work. :)

At least this was only one child process on 2 different occasions, but considering how far both FBSD and Apache have come, it bothers me somewhat and now someone else has a more serious problem.

Have to like the reliability of FBSD and Apache, but am starting to wonder.


Jeff Mountin - Unix Systems TCP/IP networking
jeff@mountin.net

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message