httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Unruh <un...@physics.ubc.ca>
Subject Re: [users@httpd] Denial of Service due to multiplication of httpd running
Date Tue, 22 May 2012 23:00:10 GMT
On Tue, 22 May 2012, William A. Rowe Jr. wrote:

> On 5/22/2012 12:02 PM, Bill Unruh wrote:
>>
>> Eg, here is one entry from the ps auxww  list
>>
>> apache   18137  0.0  0.5  26844  5744 ?        S    09:34   0:00 /usr/sbin/httpd
-f
>> /etc/httpd/conf/httpd.conf -DAPACHE2 -DHAVE_PERL -DHAVE_PHP5 -DHAVE_ACTIONS -DHAVE_ALIAS
>> -DHAVE_ASIS -DHAVE_AUTH_BASIC -DHAVE_AUTH_DIGEST -DHAVE_AUTHN_ALIAS -DHAVE_AUTHN_ANON
>> -DHAVE_AUTHN_DBM -DHAVE_AUTHN_DEFAULT -DHAVE_AUTHN_FILE -DHAVE_AUTHZ_DBM
>> -DHAVE_AUTHZ_DEFAULT -DHAVE_AUTHZ_GROUPFILE -DHAVE_AUTHZ_HOST -DHAVE_AUTHZ_OWNER
>> -DHAVE_AUTHZ_USER -DHAVE_AUTOINDEX -DHAVE_BUCKETEER -DHAVE_CASE_FILTER
>> -DHAVE_CASE_FILTER_IN -DHAVE_CERN_META -DHAVE_CGI -DHAVE_CGID -DHAVE_CHARSET_LITE
>> -DHAVE_DIR -DHAVE_DUMPIO -DHAVE_ECHO -DHAVE_ENV -DHAVE_EXAMPLE -DHAVE_EXPIRES
>> -DHAVE_EXT_FILTER -DHAVE_FILTER -DHAVE_HEADERS -DHAVE_IDENT -DHAVE_IMAGEMAP -DHAVE_INCLUDE
>> -DHAVE_INFO -DHAVE_LOG_CONFIG -DHAVE_LOG_FORENSIC -DHAVE_LOGIO -DHAVE_MIME
>> -DHAVE_MIME_MAGIC -DHAVE_NEGOTIATION -DHAVE_OPTIONAL_FN_EXPORT -DHAVE_OPTIONAL_FN_IMPORT
>> -DHAVE_OPTIONAL_HOOK_EXPORT -DHAVE_OPTIONAL_HOOK_IMPORT -DHAVE_REWRITE -DHAVE_SETENVIF
>> -DHAVE_SPELING -DHAVE_SSL -DHAVE_STATUS -DHAVE_SUBSTITUTE -DHAVE_SUEXEC -DHAVE_UNIQUE_ID
>> -DHAVE_USERTRACK -DHAVE_VERSION -DHAVE_VHOST_ALIAS
>
> Never seen such a crazy startup line, I presume all of your modules have individual
> <IfDefine > blocks around each?

It is basically what Mandriva has as its default.


>
>> At that time in the access_log I have a whole bunch of entries like
>> ::1 - - [22/May/2012:09:34:22 -0700] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.22
>> (Mandriva Linux/PREFORK-0.1mdv2010.2) (internal dummy connection)"
>
> That's your own local loopback from a process running on this same box.

There are no processes running on this same box. It is rarely used. and
certainly did not have a browser running at that time.

\
>
>> In the past I have also had connections like 66.249.68.198 - - [22/May/2012:09:35:25
>> -0700] "GET
>> /aggregator/www.umsl.edu/~keelr/010/www.twitter.com/www.iaea.org/Publications/Documents/Board/2008/www.environment-agency.gov.uk/homeandleisure/floods/node/www.guardian.co.uk/business/2012/feb/21/node/node/22?page=11
>> HTTP/1.1" 200 58609 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;
>> +http://www.google.com/bot.html)"
>
> No clue.  Maybe playing with open proxies?  The document seems to be 58k if that helps
you
> at all (maybe a local index page?)

There is no such file or path on my system. If I try to use it, I get file not
found. I have nothing called /aggregator/


>
>> In the error log around that time I get nothing that looks suspicious
>>
>> [Tue May 22 09:31:54 2012] [error] [client 119.63.196.27] File does not exist:
>> /usr/local/http/htdocs/robots.txt
>> [Tue May 22 09:32:25 2012] [error] [client 86.68.18.171] File does not exist:
>> /usr/local/http/htdocs/favicon.ico
>
> Certainly harmless and most common from crawlers and web browsers respectively.  You
may
> want to add a simple one line robots.txt file, and a simple default icon.

That was what I thought.


>
>
>> [Tue May 22 09:36:47 2012] [error] [client 89.144.206.157] File does not exist:
>> /usr/local/http/htdocs/thirdman/reichs/blank.gif, referer:
>> http://axion.physics.ubc.ca/thirdman/reichs/reichsbruecke.htm
>
> Your own mistake in the html, it seems.

Yup. Just displying it on the off chance it could be problematic. Since I have
not the ghost of an idea what could be wrong, I also have not the ghost of an
idea what could be a symptom either.


>
> Can you interrupt one of the truly hosed processes using gdb and try 'thread apply all
bt'
>

What does that do?

Thread 1 (Thread 0xb760f700 (LWP 20861)):
#0  0xffffe424 in __kernel_vsyscall ()
#1  0xb77ece6b in fcntl () from /lib/i686/libpthread.so.0
#2  0xb780f832 in ?? () from /usr/lib/libapr-1.so.0
#3  0xb780f1ad in apr_proc_mutex_lock () from /usr/lib/libapr-1.so.0
#4  0x0809294c in ?? ()
#5  0x08092e0b in ?? ()
#6  0x08093be4 in ap_mpm_run ()
#7  0x08064cd1 in main ()


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message