From owner-freebsd-questions Fri Mar 21 8:47: 3 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6073137B401 for ; Fri, 21 Mar 2003 08:47:01 -0800 (PST) Received: from web1.nexusinternetsolutions.net (web1.nexusinternetsolutions.net [206.47.131.12]) by mx1.FreeBSD.org (Postfix) with SMTP id 4FBFE43F3F for ; Fri, 21 Mar 2003 08:47:00 -0800 (PST) (envelope-from dave@hawk-systems.com) Received: (qmail 72720 invoked from network); 21 Mar 2003 16:46:58 -0000 Received: from unknown (HELO ws1) (24.157.103.51) by web1.nexusinternetsolutions.net with SMTP; 21 Mar 2003 16:46:58 -0000 From: "Dave [Hawk-Systems]" To: , Subject: RE: apache exiting signal 11, high request period Date: Fri, 21 Mar 2003 11:46:57 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG no takers on this? >-----Original Message----- >Subject: apache exiting signal 11, high request period > > > >Following showed up in our morning security mailer >Unusual System Events >=-=-=-=-=-=-=-=-=-=-= >Mar 19 06:01:00 web1 /kernel: pid 62342 (httpd), uid 65534: exited on signal 11 >Mar 19 06:01:00 web1 /kernel: pid 62343 (httpd), uid 65534: exited on signal 11 >Mar 19 06:01:00 web1 /kernel: pid 62344 (httpd), uid 65534: exited on signal 11 >Mar 19 06:01:01 web1 /kernel: pid 62345 (httpd), uid 65534: exited on signal 11 >... > >and doing a cat of the /var/log/httpd*.log >[Wed Mar 19 06:31:00 2003] [notice] child pid 69197 exit signal Segmentation >fault (11) >[Wed Mar 19 06:31:00 2003] [notice] child pid 69196 exit signal Segmentation >fault (11) >[Wed Mar 19 06:31:00 2003] [notice] child pid 69195 exit signal Segmentation >fault (11) >[Wed Mar 19 06:31:00 2003] [notice] child pid 69194 exit signal Segmentation >fault (11) >... > >Looking at the input and output of the NIC for that period of time, there was a >burst of access attempts between 5am-7am (same period covered by the above log >anomalies) > >doing a cat of all the log files for virtual host directories showed >the culprit >(or suspected culprit at least) >[Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user cobras >not found: >/members/members.htm >[Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user loredana not >found: /members/members.htm >[Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user steve not found: >/members/members.htm >[Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user e not found: >/members/members.htm >[Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user horno not found: >/members/members.htm >... > >Now aside from the fact that this schmuck is trying to get in and won't given >the password and userid scheme that this hosting client is using(and the method >he is using to circumvent this), it does concern me that the httpd process is >crashing. > >Is it just child processes? >Is the cause likely the burst of traffic, and if so, is there a tweak to allow >apache to weather a volume of requests more successfully? >Or is there other mitigating factors that need to be investigated? > >Server Version: FreeBSD 4.3(with patches) Apache/1.3.19 (Unix) mod_ssl/2.8.2 >OpenSSL/0.9.6 PHP/4.2.2 > >Appreciate any insight. > >Dave > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message