From owner-freebsd-security@FreeBSD.ORG  Sun Sep 28 23:29:23 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C02A916A4BF
	for <security@freebsd.org>; Sun, 28 Sep 2003 23:29:23 -0700 (PDT)
Received: from gateway.nixsys.be (gateway.nixsys.be [195.144.77.33])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5702C44035
	for <security@freebsd.org>; Sun, 28 Sep 2003 23:29:22 -0700 (PDT)
	(envelope-from philip@nixsys.be)
Received: from hermes.nixsys.be (hermes.nixsys.be [195.144.77.45])
	by gateway.nixsys.be (Postfix) with ESMTP id 9716CC12A
	for <security@freebsd.org>; Mon, 29 Sep 2003 08:29:20 +0200 (CEST)
Received: by hermes.nixsys.be (Postfix, from userid 1001)
	id 2D3B156; Mon, 29 Sep 2003 08:29:20 +0200 (CEST)
Date: Mon, 29 Sep 2003 08:29:20 +0200
From: Philip Paeps <philip+freebsd@paeps.cx>
To: security@freebsd.org
Message-ID: <20030929062920.GB760@hermes.nixsys.be>
Mail-Followup-To: security@freebsd.org
References: <20030928235939.GH629@hermes.home.paeps.cx>
	<20030929022753.GC334@silverwraith.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030929022753.GC334@silverwraith.com>
X-Date-in-Rome: ante diem III Kalendas Octobres MMDCCLVI ab Urbe Condida
X-PGP-Fingerprint: FA74 3C27 91A6 79D5 F6D3 FC53 BF4B D0E6 049D B879
X-Message-Flag: Get a proper mailclient!  Mutt: <http://www.mutt.org/>
User-Agent: Mutt/1.5.4i
Subject: Re: Apache under attack and eating resources?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Sep 2003 06:29:23 -0000

On 2003-09-28 19:27:53 (-0700), Avleen Vig <lists-freebsd@silverwraith.com> wrote:
> On Mon, Sep 29, 2003 at 01:59:39AM +0200, Philip Paeps wrote:
> > This might be more related to an Apache-security list, but as the machine
> > is running FreeBSD, I thought I'd ask here first.
> > 
> > In the last two weeks, I've been seeing some very strange errors in my
> > logs a few times daily around the same times.  While this happens, load
> > averages go through the roof (I've seen 36+, which is outragous), and the
> > machine becomes very unresponsive.
> > 
> > First there's a few million of these:
> 
> [snip]
> 
> Are you running any CGI's, or other server-side scripts? Bugs in your
> scripts could cause things like this, and make it look like it's apache
> which is at fault.

I forgot to mention I was running mod_php4 from the ports.  I don't think any
scripts changed in the last few weeks, but I'll have a look into it.  Any idea
what kind of script bugs could cause PHP to tear things down like this, other
than the classic loop from hell?

Thanks!

 - Philip

-- 
Philip Paeps                                          Please don't CC me, I am
                                                       subscribed to the list.

  BOFH Excuse #34:
    (l)user error