Silly Apache Question...

John Seth johnseth at phoenixwing.com
Thu May 4 15:15:59 MST 2006 

Check your logs... /var/log/apache/error_log & 
/var/log/apache/access_log (or wherever they may be).  Use "tail -f 
error_log" to view the log as it is occurring, and watch what is going 
on, if anything.  Some things won't log to error log if it's intended to 
be running, but if a webpage is called and apache is "serving it", then 
there will almost always be an entry in the access_log.

If Perl is running with the apache process, it could be MRTG if 
installed, or even AWStats, which will write up webpages based on 
traffic used by Apache.  The one process with "popuser" sounds like 
webmail or some POP3 program that uses Perl... Horde?  I use 
squirrelmail with imap, so I'm not even sure what webmail programs 
utilize CGI/Perl anymore :-\ 

And as was suggested, check your crontab too.  /etc/crontab, 
/etc/cron.<hourly/daily/d/monthly/etc>, and as root (or other user) 
"crontab -l" to list what crontab the user your logged in as has set to 
run. 

  Tony Evans
  Phoenix Wing Interactive
  johnseth at phoenixwing.com
  http://www.phoenixwing.com/




Kevin wrote:
> On 5/4/06 2:11 PM, "Zeddy" <zeddicius at falldowngoboom.org> wrote:
>
>   
>> How can you tell what apache is doing.... i'm having something happen  every
>> night at like 3am....
>>     
>
> Do you see anything interesting in your access.log about that time?
>
>
>   
>> USER      PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
>> popuser 57198 11.3  0.0     0    0  ??  Z     3:29AM   0:00.00   (perl5.8.4)
>>     
>  
> That is strange looking output for PID 57198.  What is that?
>
>
>   
>> killing and restarting apache fixes it... but... it kills  everything.... cus
>> it's beating on the server....
>>
>> is there anything like top that would show what site is doing this...
>>     
>
> Take the child PID for the runaway httpd process and run it through `lsof`
> to see what file descriptors it has open.  You might also use a sniffer like
> ethereal (or even just tcpdump) to capture the inbound traffic around that
> time.
>
> I would also look for any unusual shell processes around that time, in case
> someone has found an exploit to drop a shell (again a sniffer would be most
> handy here).  For that matter I would examine ANY processes that started
> after the spike (3:29am in this case).
>
> ...Kevin
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>

More information about the PLUG-discuss mailing list