On 5/4/06 2:11 PM, "Zeddy" <
zeddicius@falldowngoboom.org> wrote:
> How can you tell what apache is doing.... i'm having something happen every
> night at like 3am....
Do you see anything interesting in your access.log about that time?
> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> popuser 57198 11.3 0.0 0 0 ?? Z 3:29AM 0:00.00 (perl5.8.4)
That is strange looking output for PID 57198. What is that?
> killing and restarting apache fixes it... but... it kills everything.... cus
> it's beating on the server....
>
> is there anything like top that would show what site is doing this...
Take the child PID for the runaway httpd process and run it through `lsof`
to see what file descriptors it has open. You might also use a sniffer like
ethereal (or even just tcpdump) to capture the inbound traffic around that
time.
I would also look for any unusual shell processes around that time, in case
someone has found an exploit to drop a shell (again a sniffer would be most
handy here). For that matter I would examine ANY processes that started
after the spike (3:29am in this case).
...Kevin
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)