Check your logs... /var/log/apache/error_log &
/var/log/apache/access_log (or wherever they may be). Use "tail -f
error_log" to view the log as it is occurring, and watch what is going
on, if anything. Some things won't log to error log if it's intended to
be running, but if a webpage is called and apache is "serving it", then
there will almost always be an entry in the access_log.
If Perl is running with the apache process, it could be MRTG if
installed, or even AWStats, which will write up webpages based on
traffic used by Apache. The one process with "popuser" sounds like
webmail or some POP3 program that uses Perl... Horde? I use
squirrelmail with imap, so I'm not even sure what webmail programs
utilize CGI/Perl anymore :-\
And as was suggested, check your crontab too. /etc/crontab,
/etc/cron.<hourly/daily/d/monthly/etc>, and as root (or other user)
"crontab -l" to list what crontab the user your logged in as has set to
run.
Tony Evans
Phoenix Wing Interactive
johnseth@phoenixwing.com
http://www.phoenixwing.com/
Kevin wrote:
> On 5/4/06 2:11 PM, "Zeddy" <zeddicius@falldowngoboom.org> wrote:
>
>
>> How can you tell what apache is doing.... i'm having something happen every
>> night at like 3am....
>>
>
> Do you see anything interesting in your access.log about that time?
>
>
>
>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
>> popuser 57198 11.3 0.0 0 0 ?? Z 3:29AM 0:00.00 (perl5.8.4)
>>
>
> That is strange looking output for PID 57198. What is that?
>
>
>
>> killing and restarting apache fixes it... but... it kills everything.... cus
>> it's beating on the server....
>>
>> is there anything like top that would show what site is doing this...
>>
>
> Take the child PID for the runaway httpd process and run it through `lsof`
> to see what file descriptors it has open. You might also use a sniffer like
> ethereal (or even just tcpdump) to capture the inbound traffic around that
> time.
>
> I would also look for any unusual shell processes around that time, in case
> someone has found an exploit to drop a shell (again a sniffer would be most
> handy here). For that matter I would examine ANY processes that started
> after the spike (3:29am in this case).
>
> ...Kevin
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss