I would strace the httpd process(es) when this occurs to find out what it's spinning on; perhaps your being unable to reproduce it has something to do with the state of the connection (e.g. not closing properly), so you might consider also a netstat when you see one of these pop up in the logs. I'm unable to reproduce this on my 1.3.26 installations but that's no surprise if it can't even be reproduced it on the commandline. -----Original Message----- From: Ryan Sweat [mailto:rsweatat_private] Sent: Tuesday, October 15, 2002 12:24 AM To: Andre Guimaraes Cc: 'incidentsat_private' Subject: Re: apache problem I have the exact same problem on RedHat 7.2 with apache-1.3.22-6. It appears to be CodeRed attempts causing a denial of service through apache. [Mon Oct 14 22:45:05 2002] [error] [client 140.121.175.22] Client sent malformed Host header 140.121.175.22 - - [14/Oct/2002:22:45:05 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN NN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u78 01%u9090%u9090%u8190%u00 c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 334 "-" "-" This causes the cpu to reach 100% and the httpd process consumes all available memory until the kernel kills the process (often 1 hour later). I am unable to reproduce this behavior, even by manually sending the exact string to apache. Several other apache daemons running on the same OS, though compiled and not installed from binary rpm, are not affected. Ryan On Sat, 2002-10-12 at 16:05, Andre Guimaraes wrote: > Hi all, > > I have one webserver dedicated for a client communication running > apache 1.3.22-6 on linux red hat 7.3 and almost unused. Today the > machine had no memory or swap left (1 gig memory,512 meg swap). > Analyzing the error logs I found this: > > Lots of in /var/log/messages: > Oct 12 20:31:24 web01 kernel: Out of Memory: Killed process 1023 > (httpd). Oct 12 20:31:52 web01 kernel: Out of Memory: Killed process > 1016 (httpd). Oct 12 20:32:22 web01 kernel: Out of Memory: Killed > process 1020 (httpd). Oct 12 20:34:04 web01 kernel: Out of Memory: > Killed process 1026 (httpd). Oct 12 20:34:53 web01 kernel: Out of > Memory: Killed process 1025 (httpd). Oct 12 20:35:55 web01 kernel: Out > of Memory: Killed process 1031 (httpd). > > Lots of this in error log: > [Sat Oct 12 20:41:44 2002] [error] child process 1227 still did not > exit, sending a SIGKILL [Sat Oct 12 20:41:44 2002] [error] child > process 1228 still did not exit, sending a SIGKILL > [Sat Oct 12 20:41:46 2002] [error] could not make child process 1072 exit, > attempting to continue anyway > [Sat Oct 12 20:41:46 2002] [error] could not make child process 1080 exit, > attempting to continue anyway > > Few minutes before in error log: > [Sat Oct 12 20:16:19 2002] [error] [client 217.223.216.186] client > sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / > > [Sat Oct 12 20:21:09 2002] [error] [client 207.99.78.36] request > failed: erroneous characters after protocol string: CONNECT > maila.microsoft.com:25 / HTTP/1.0 > > This connect maila looks like someone trying to find some kind of > proxy. What about the empty hostname? I cant figure out why that > happened. > > Thanks > > ---------------------------------------------------------------------- > ------ > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 17:01:58 PDT