Apache goes berserk

From: Brett Glass (brettat_private)
Date: Wed Jun 26 2002 - 20:37:41 PDT

Next message: Robert E. Lee: "Re: spoofed packets to RFC 1918 addresses"

Previous message: Sergey Latkin: "Re: Am i compromised?"
Next in thread: Tobias Rosenstock: "Re: Apache goes berserk"
Reply: Tobias Rosenstock: "Re: Apache goes berserk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This evening, I returned from dinner to find that my Apache 2.0.39 Web 
server, running on FreeBSD, was completely unresponsive. A "ps" command 
revealed that the server had spawned dozens of child processes. And the 
error log had filled up with messages that looked like this:

[Wed Jun 26 15:55:01 2002] [error] server reached MaxClients setting, 
consider raising the MaxClients setting
[Wed Jun 26 21:28:36 2002] [warn] child process 164 still did not exit, 
sending a SIGTERM
[Wed Jun 26 21:28:36 2002] [warn] child process 165 still did not exit, 
sending a SIGTERM
[Wed Jun 26 21:28:36 2002] [warn] child process 166 still did not exit, 
sending a SIGTERM
[Wed Jun 26 21:28:36 2002] [warn] child process 167 still did not exit, 
sending a SIGTERM
[Wed Jun 26 21:28:36 2002] [warn] child process 168 still did not exit, 
sending a SIGTERM
[Wed Jun 26 21:28:36 2002] [warn] child process 497 still did not exit, 
sending a SIGTERM
[Wed Jun 26 21:28:36 2002] [warn] child process 498 still did not exit, 
sending a SIGTERM
[Wed Jun 26 21:28:36 2002] [warn] child process 1307 still did not exit, 
sending a SIGTERM
[Wed Jun 26 21:28:36 2002] [warn] child process 2965 still did not exit, 
sending a SIGTERM

...and many more similar messages. These were followed by a continuous 
stream of messages like the following:

httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free
httpd in free(): warning: page is already free

It doesn't LOOK as if anyone broke in, but the fact that the Web server 
was tied up in knots until I shut it down and restarted it is disturbing. 
Anyone else seeing such activity?

--Brett Glass


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Robert E. Lee: "Re: spoofed packets to RFC 1918 addresses"
Previous message: Sergey Latkin: "Re: Am i compromised?"
Next in thread: Tobias Rosenstock: "Re: Apache goes berserk"
Reply: Tobias Rosenstock: "Re: Apache goes berserk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 12:05:03 PDT