Re: Silly Apache Question...

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMKevin at <-
M 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: John Seth
Date:  
To: Main PLUG discussion list
Subject: Re: Silly Apache Question...
Check your logs... /var/log/apache/error_log &
/var/log/apache/access_log (or wherever they may be). Use "tail -f
error_log" to view the log as it is occurring, and watch what is going
on, if anything. Some things won't log to error log if it's intended to
be running, but if a webpage is called and apache is "serving it", then
there will almost always be an entry in the access_log.

If Perl is running with the apache process, it could be MRTG if
installed, or even AWStats, which will write up webpages based on
traffic used by Apache. The one process with "popuser" sounds like
webmail or some POP3 program that uses Perl... Horde? I use
squirrelmail with imap, so I'm not even sure what webmail programs
utilize CGI/Perl anymore :-\

And as was suggested, check your crontab too. /etc/crontab,
/etc/cron.<hourly/daily/d/monthly/etc>, and as root (or other user)
"crontab -l" to list what crontab the user your logged in as has set to
run.

Tony Evans
Phoenix Wing Interactive

http://www.phoenixwing.com/




Kevin wrote:
> On 5/4/06 2:11 PM, "Zeddy" <> wrote:
>
>
>> How can you tell what apache is doing.... i'm having something happen every
>> night at like 3am....
>>
>
> Do you see anything interesting in your access.log about that time?
>
>
> 
>> USER      PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
>> popuser 57198 11.3  0.0     0    0  ??  Z     3:29AM   0:00.00   (perl5.8.4)

>>
>
> That is strange looking output for PID 57198. What is that?
>
>
>
>> killing and restarting apache fixes it... but... it kills everything.... cus
>> it's beating on the server....
>>
>> is there anything like top that would show what site is doing this...
>>
>
> Take the child PID for the runaway httpd process and run it through `lsof`
> to see what file descriptors it has open. You might also use a sniffer like
> ethereal (or even just tcpdump) to capture the inbound traffic around that
> time.
>
> I would also look for any unusual shell processes around that time, in case
> someone has found an exploit to drop a shell (again a sniffer would be most
> handy here). For that matter I would examine ANY processes that started
> after the spike (3:29am in this case).
>
> ...Kevin
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Small Linux boxes?Re: Small Linux boxes?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)