On 5/4/06 2:11 PM, "Zeddy" wrote: > How can you tell what apache is doing.... i'm having something happen every > night at like 3am.... Do you see anything interesting in your access.log about that time? > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > popuser 57198 11.3 0.0 0 0 ?? Z 3:29AM 0:00.00 (perl5.8.4) That is strange looking output for PID 57198. What is that? > killing and restarting apache fixes it... but... it kills everything.... cus > it's beating on the server.... > > is there anything like top that would show what site is doing this... Take the child PID for the runaway httpd process and run it through `lsof` to see what file descriptors it has open. You might also use a sniffer like ethereal (or even just tcpdump) to capture the inbound traffic around that time. I would also look for any unusual shell processes around that time, in case someone has found an exploit to drop a shell (again a sniffer would be most handy here). For that matter I would examine ANY processes that started after the spike (3:29am in this case). ...Kevin --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss