127.0.0.1 host.name.com GET / HTTP/1.0

A

aisagtr

Guest
Until recently, we have never seen anything under Apache status until we upgraded to Apache 2.0

Are we being DDOS by our own host machine? Any ideas?

Under cPanel's Apache Status, we see tons of :

- 0/0/1913 . 0.00 23 0 0.0 0.00 12.69 127.0.0.1 host.server.com HTTP/1.0
- 0/0/1913 . 0.00 23 0 0.0 0.00 12.69 127.0.0.1 host.server.com HTTP/1.0
- 0/0/1913 . 0.00 23 0 0.0 0.00 12.69 127.0.0.1 host.server.com HTTP/1.0
- 0/0/1913 . 0.00 23 0 0.0 0.00 12.69 127.0.0.1 host.server.com HTTP/1.0
- 0/0/1913 . 0.00 23 0 0.0 0.00 12.69 127.0.0.1 host.server.com HTTP/1.0
- 0/0/1913 . 0.00 23 0 0.0 0.00 12.69 127.0.0.1 host.server.com HTTP/1.0
- 0/0/1913 . 0.00 23 0 0.0 0.00 12.69 127.0.0.1 host.server.com HTTP/1.0
- 0/0/1913 . 0.00 23 0 0.0 0.00 12.69 127.0.0.1 host.server.com HTTP/1.0
- 0/0/1913 . 0.00 23 0 0.0 0.00 12.69 127.0.0.1 host.server.com HTTP/1.0

We are using Apache 2 with the following config:

WHM 11.15.0 cPanel 11.17.0-R19434
CENTOS Enterprise 4.6 i686 on virtuozzo - WHM X v3.1.0
 
A

aisagtr

Guest
It's you accessing Apache Status.

thewird
Nop, dont thin so.

If I were to access the apache's status, it would also show up my IP addresses.

Also, under /var/log/messages, I am getting tons of connections for FTP as follows, now host ftping to itself?

Jan 20 02:33:04 xtreme syslogd 1.4.1: restart.
Jan 20 02:41:03 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 02:41:03 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 02:49:26 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 02:49:26 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 02:57:49 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 02:57:49 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:06:14 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:06:14 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:14:36 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:14:36 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:22:59 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:22:59 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:31:21 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:31:21 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:39:43 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
 

thewird

Well-Known Member
Jan 4, 2006
54
0
156
Toronto
Nop, dont thin so.

If I were to access the apache's status, it would also show up my IP addresses.

Also, under /var/log/messages, I am getting tons of connections for FTP as follows, now host ftping to itself?

Jan 20 02:33:04 xtreme syslogd 1.4.1: restart.
Jan 20 02:41:03 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 02:41:03 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 02:49:26 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 02:49:26 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 02:57:49 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 02:57:49 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:06:14 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:06:14 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:14:36 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:14:36 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:22:59 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:22:59 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:31:21 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:31:21 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:39:43 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
FTP is unrelated to apache but I still think nothing is going on.

And no it wouldn't show your IP address if you access it from WHM. Also, I think the FTP thing is WHM's chkservd.

thewird
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Nop, dont thin so.

If I were to access the apache's status, it would also show up my IP addresses.

Also, under /var/log/messages, I am getting tons of connections for FTP as follows, now host ftping to itself?

Jan 20 02:33:04 xtreme syslogd 1.4.1: restart.
Jan 20 02:41:03 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 02:41:03 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 02:49:26 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 02:49:26 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 02:57:49 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 02:57:49 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:06:14 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:06:14 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:14:36 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:14:36 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:22:59 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:22:59 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:31:21 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Jan 20 03:31:21 xtreme pure-ftpd: ([email protected]) [INFO] Logout.
Jan 20 03:39:43 xtreme pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Notice the timestamps are roughly 8 minutes apart. Eight minutes is the interval at which cpsrvd checks services.
 

7Com

Registered
Sep 9, 2003
3
0
151
Hi,

How to solve this???

29-0 - 0/0/15 . 0.56 1438 0 0.0 0.00 0.05 127.0.0.1 my.hostname.com GET / HTTP/1.0
30-0 - 0/0/2 . 0.11 1604 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
31-0 - 0/0/12 . 0.09 1632 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
32-0 - 0/0/2 . 0.11 1601 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
33-0 - 0/0/8 . 0.13 1633 0 0.0 0.00 0.03 127.0.0.1 my.hostname.com GET / HTTP/1.0
34-0 - 0/0/16 . 0.08 1547 0 0.0 0.00 0.15 127.0.0.1 my.hostname.com GET / HTTP/1.0
35-0 - 0/0/30 . 0.62 1419 0 0.0 0.00 0.05 127.0.0.1 my.hostname.com GET / HTTP/1.0
36-0 - 0/0/10 . 0.44 1518 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
37-0 - 0/0/3 . 0.03 1657 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
38-0 - 0/0/7 . 0.41 1514 0 0.0 0.00 0.02 127.0.0.1 my.hostname.com GET / HTTP/1.0
39-0 - 0/0/10 . 0.63 1479 0 0.0 0.00 0.07 127.0.0.1 my.hostname.com GET / HTTP/1.0
40-0 - 0/0/11 . 0.98 1481 0 0.0 0.00 0.07 127.0.0.1 my.hostname.com GET / HTTP/1.0
41-0 - 0/0/17 . 0.53 1433 0 0.0 0.00 0.20 127.0.0.1 my.hostname.com GET / HTTP/1.0
42-0 - 0/0/7 . 0.87 1513 0 0.0 0.00 4.23 127.0.0.1 my.hostname.com GET / HTTP/1.0
43-0 - 0/0/14 . 0.93 1443 0 0.0 0.00 0.09 127.0.0.1 my.hostname.com GET / HTTP/1.0
44-0 - 0/0/2 . 0.14 1595 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
45-0 - 0/0/9 . 0.38 1509 0 0.0 0.00 0.23 127.0.0.1 my.hostname.com GET / HTTP/1.0
46-0 - 0/0/20 . 0.48 1447 0 0.0 0.00 0.08 127.0.0.1 my.hostname.com GET / HTTP/1.0
47-0 - 0/0/2 . 0.07 1619 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
48-0 - 0/0/15 . 0.16 1428 0 0.0 0.00 0.21 127.0.0.1 my.hostname.com GET / HTTP/1.0
49-0 - 0/0/3 . 0.03 1585 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
50-0 - 0/0/7 . 0.15 1529 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
51-0 - 0/0/4 . 0.09 1618 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
52-0 - 0/0/9 . 0.05 1527 0 0.0 0.00 0.15 127.0.0.1 my.hostname.com GET / HTTP/1.0
53-0 - 0/0/16 . 1.08 1432 0 0.0 0.00 0.04 127.0.0.1 my.hostname.com GET / HTTP/1.0
54-0 - 0/0/5 . 0.05 1596 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
55-0 - 0/0/12 . 0.54 1462 0 0.0 0.00 0.02 127.0.0.1 my.hostname.com GET / HTTP/1.0
56-0 - 0/0/4 . 0.14 1592 0 0.0 0.00 0.11 127.0.0.1 my.hostname.com GET / HTTP/1.0
57-0 - 0/0/3 . 0.06 1655 1 0.0 0.00 0.02 124.13.98.9 gamelife-e.com GET /img/title.jpg HTTP/1.1
58-0 - 0/0/13 . 0.16 1536 0 0.0 0.00 0.07 127.0.0.1 my.hostname.com GET / HTTP/1.0
59-0 - 0/0/8 . 0.48 1498 0 0.0 0.00 0.06 127.0.0.1 my.hostname.com GET / HTTP/1.0
60-0 - 0/0/3 . 0.03 1597 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
61-0 - 0/0/11 . 0.12 1503 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
62-0 - 0/0/5 . 0.12 1563 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
63-0 - 0/0/8 . 0.30 1499 0 0.0 0.00 0.02 127.0.0.1 my.hostname.com GET / HTTP/1.0
64-0 - 0/0/2 . 0.13 1593 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
65-0 - 0/0/12 . 0.13 1617 0 0.0 0.00 0.02 127.0.0.1 my.hostname.com GET / HTTP/1.0
66-0 - 0/0/11 . 0.22 1473 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
67-0 - 0/0/5 . 0.13 1566 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
68-0 - 0/0/11 . 1.13 1472 0 0.0 0.00 0.08 127.0.0.1 my.hostname.com GET / HTTP/1.0
69-0 - 0/0/12 . 0.32 1469 0 0.0 0.00 0.14 127.0.0.1 my.hostname.com GET / HTTP/1.0
70-0 - 0/0/16 . 0.31 1492 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
71-0 - 0/0/18 . 0.14 1459 0 0.0 0.00 0.03 127.0.0.1 my.hostname.com GET / HTTP/1.0
72-0 - 0/0/14 . 0.68 1484 0 0.0 0.00 0.03 127.0.0.1 my.hostname.com GET / HTTP/1.0
73-0 - 0/0/11 . 0.93 1497 0 0.0 0.00 0.10 127.0.0.1 my.hostname.com GET / HTTP/1.0
74-0 - 0/0/3 . 0.04 1598 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
75-0 - 0/0/13 . 0.62 1460 0 0.0 0.00 0.14 127.0.0.1 my.hostname.com GET / HTTP/1.0
76-0 - 0/0/6 . 0.08 1580 0 0.0 0.00 4.23 127.0.0.1 my.hostname.com GET / HTTP/1.0
77-0 - 0/0/13 . 0.59 1448 0 0.0 0.00 0.08 127.0.0.1 my.hostname.com GET / HTTP/1.0
78-0 - 0/0/17 . 0.79 1445 0 0.0 0.00 0.05 127.0.0.1 my.hostname.com GET / HTTP/1.0
79-0 - 0/0/5 . 0.02 1589 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
80-0 - 0/0/18 . 0.14 1437 0 0.0 0.00 8.04 127.0.0.1 my.hostname.com GET / HTTP/1.0
81-0 - 0/0/41 . 3.56 949 0 0.0 0.00 0.23 127.0.0.1 my.hostname.com GET / HTTP/1.0
82-0 - 0/0/4 . 0.06 1606 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
83-0 - 0/0/5 . 0.15 1562 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
84-0 - 0/0/6 . 0.02 1586 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
85-0 - 0/0/3 . 0.02 1653 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
86-0 - 0/0/2 . 0.07 1616 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
87-0 - 0/0/2 . 0.01 1654 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
88-0 - 0/0/8 . 0.43 1525 0 0.0 0.00 0.13 127.0.0.1 my.hostname.com GET / HTTP/1.0
89-0 - 0/0/13 . 0.75 1478 0 0.0 0.00 0.19 127.0.0.1 my.hostname.com GET / HTTP/1.0
90-0 - 0/0/10 . 0.11 1648 0 0.0 0.00 3.47 127.0.0.1 my.hostname.com GET / HTTP/1.0
91-0 - 0/0/5 . 0.09 1651 0 0.0 0.00 0.12 127.0.0.1 my.hostname.com GET / HTTP/1.0
92-0 - 0/0/16 . 0.39 1456 0 0.0 0.00 0.13 127.0.0.1 my.hostname.com GET / HTTP/1.0
93-0 - 0/0/16 . 0.13 1454 0 0.0 0.00 0.14 127.0.0.1 my.hostname.com GET / HTTP/1.0
94-0 - 0/0/2 . 0.11 1615 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
95-0 - 0/0/10 . 0.64 1474 0 0.0 0.00 0.05 127.0.0.1 my.hostname.com GET / HTTP/1.0
96-0 - 0/0/2 . 0.03 1645 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
97-0 - 0/0/13 . 0.26 1452 0 0.0 0.00 0.13 127.0.0.1 my.hostname.com GET / HTTP/1.0
98-0 - 0/0/3 . 0.06 1570 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
99-0 - 0/0/2 . 0.02 1652 0 0.0 0.00 0.00 127.0.0.1 my.hostname.com GET / HTTP/1.0
100-0 - 0/0/6 . 0.15 1531 0 0.0 0.00 0.11 127.0.0.1 my.hostname.com GET / HTTP/1.0
101-0 - 0/0/3 . 0.11 1614 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
102-0 - 0/0/5 . 0.13 1600 0 0.0 0.00 0.12 127.0.0.1 my.hostname.com GET / HTTP/1.0
103-0 - 0/0/12 . 0.66 1467 0 0.0 0.00 0.02 127.0.0.1 my.hostname.com GET / HTTP/1.0
104-0 - 0/0/6 . 0.71 1506 0 0.0 0.00 0.01 127.0.0.1 my.hostname.com GET / HTTP/1.0
105-0 - 0/0/14 . 0.12 1612 0 0.0 0.00 0.22 127.0.0.1 my.hostname.com GET / HTTP/1.0
106-0 - 0/0/16 . 1.16 1440 0 0.0 0.00 0.10 127.0.0.1 my.hostname.com GET / HTTP/1.0
107-0 - 0/0/12 . 0.16 1569 0 0.0 0.00 3.42 127.0.0.1 my.hostname.com GET / HTTP/1.0
108-0 - 0/0/10 . 0.09 1546 0 0.0 0.00 0.03 127.0.0.1 my.hostname.com GET / HTTP/1.0
109-0 - 0/0/19 . 0.49 1475 0 0.0 0.00 0.23 127.0.0.1 my.hostname.com GET / HTTP/1.0
110-0 - 0/0/5 . 0.07 1650 0 0.0 0.00 0.05 127.0.0.1 my.hostname.com GET / HTTP/1.0

Too many request...
 

thewird

Well-Known Member
Jan 4, 2006
54
0
156
Toronto
Hi,

How to solve this???

29-0 - 0/0/15 . 0.56 1438 0 0.0 0.00 0.05 127.0.0.1 my.hostname.com GET / HTTP/1.0

Too many request...
You can't solve it and its not a problem either. Notice the "-", that means its not an active request (it happened in the past and has been closed). All that is, is CPanel checking if apache is online WHICH IS A GOOD THING.

thewird
 

s.a.

Active Member
PartnerNOC
Aug 16, 2007
35
0
56
Toronto, Canada
It's not like this is some big issue, but on couple of my servers instead of "GET /" it shows "OPTIONS *":

45-37 - 0/0/4643 . 2.64 539 0 0.0 0.00 69.18 127.0.0.1 my.hostname.com OPTIONS * HTTP/1.0
46-37 - 0/0/5643 . 1.22 528 0 0.0 0.00 100.38 127.0.0.1 my.hostname.com OPTIONS * HTTP/1.0
47-37 - 0/0/5971 . 1.06 537 0 0.0 0.00 78.97 127.0.0.1 my.hostname.com OPTIONS * HTTP/1.0
48-37 - 0/0/3982 . 2.52 460 0 0.0 0.00 56.54 127.0.0.1 my.hostname.com OPTIONS * HTTP/1.0
49-37 - 0/0/3904 . 0.61 504 0 0.0 0.00 66.25 127.0.0.1 my.hostname.com OPTIONS * HTTP/1.0
50-37 - 0/0/3484 . 3.65 590 0 0.0 0.00 86.02 127.0.0.1 my.hostname.com OPTIONS * HTTP/1.0
51-37 - 0/0/3924 . 2.06 510 0 0.0 0.00 52.81 127.0.0.1 my.hostname.com OPTIONS * HTTP/1.0
52-37 - 0/0/3689 . 0.00 587 0 0.0 0.00 97.75 127.0.0.1 my.hostname.com OPTIONS * HTTP/1.0

Running Apache 2.2
Did anyone notice anything similar?
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
OKAY THEN, so how do I filter this out from showing up in /usr/local/apache/logs/access_log ???

I use the access_log for a lot of our security work here, and would rather these particular 127.0.0.1 entries be omitted, but how?

Thanks for anything on this one.
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
I tried inserting the following right below the LogFormat stuff in the http.conf file, but it did not work:

SetEnvIf Request_URI 127.0.0.1 exclude_from_log
CustomLog /usr/local/apache/logs/access_log common env=!exclude_from_log


Also tried:

SetEnvIf Referer 127.0.0.1 exclude_from_log
CustomLog /usr/local/apache/logs/access_log common env=!exclude_from_log


But no-go.
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Code:
grep -v 127.0.0.1 /usr/local/apache/logs/access_log > /tmp/access_log_no_localhost
The above command will do the trick.
Thanks but this does not quite work for me.

I can see that the above creates an alternate file without the 127.0.0.1 entries, but I need to run scripts like the following every minute (via a cron), and I would prefer not to have to create a tmp file first:


---------------

#bin/bash
d=0
for i in `tail -200 /usr/local/apache/logs/access_log | awk '/\.php?/ {print $1}'`
do
if [ $i ]
then
if [ $d != $i ]
then
/etc/csf/csf.pl -d $i phptest
d=$i
fi
fi
done
 

vikins

Well-Known Member
Oct 3, 2006
120
1
168
It's not like this is some big issue, but on couple of my servers instead of "GET /" it shows "OPTIONS *":

Running Apache 2.2
Did anyone notice anything similar?
Yes, this is exactly what I'm seeing to on my Apache 2.2.8 that I just built:

Server Version: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

WHM 11.15.0 cPanel 11.18.1-R20683
CENTOS Enterprise 4.6 i686 on virtuozzo - WHM X v3.1.0


Doesn't happen on my Apache 1.3.x:

Server Version: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b

WHM 11.15.0 cPanel 11.18.1-R20683
CENTOS Enterprise 3.9 i686 on virtuozzo - WHM X v3.1.0


Like some people have said, they get like 90 of these "OPTIONS" entries. I don't have that many, but it is a nearly unused VPS at this point. I think *something* is up, but it might not be malicious. And again, this seems to be specific to at least Apche 2.x and maybe only 2.2.x?
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
And again, I just want to know how to filter out these (meaningless) entries from the general apache access log.

Do any of the experts here know how to change the httpd.conf file so that this can be done?
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Okay solved it.

For anyone interested in this, here's what I did:

1 -- Backed up the httpd.conf file.

2 -- Pico-ed into the httpd.conf file and scrolled down to the LogFormat section.

3 -- You will see a section that starts with this:

<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

CustomLog logs/access_log common

Just change the CustomLog line, and enter a new line just above it. So your final will look like this:


<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

SetEnvIf Remote_Addr "127\.0\.0\.1" exclude_from_log
CustomLog logs/access_log common env=!exclude_from_log



4 -- Restart Apache and now you should see no such entires when tailing /usr/local/apache/logs/access_log

Please note, that on one of our servers I had to use the following line instead, because the localhost entries were starting with ::1 rather than 127.0.0.1

SetEnvIf Remote_Addr "\:\:1" exclude_from_log


Also note ---> If you try this and it screws something up (it shouldn't), I take absolutely no responsibility. Again, be sure to backup your httpd.conf file before doing ANY work with this.
 

vikins

Well-Known Member
Oct 3, 2006
120
1
168
I'm glad to solved your issue with not wanting to see the entries in your logs, but shouldn't the bigger issue here by figuring out why they exist in the first place?
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
You can't solve it and its not a problem either. Notice the "-", that means its not an active request (it happened in the past and has been closed). All that is, is CPanel checking if apache is online WHICH IS A GOOD THING.

thewird
It's cPanel cpsrvd checking its own services, in this case, checking to see that Apache is still up.
 

vikins

Well-Known Member
Oct 3, 2006
120
1
168
It's cPanel cpsrvd checking its own services, in this case, checking to see that Apache is still up.
But these issues still confuse me:

1. Each slot that you see in the status page is able to handle multiple requests. Why would cpsrvd's requests always be left behind instead of being cleared out and overwritten by new incoming requests for customer web pages? How can somebody have 90 or so of these hanging around never to get overwritten by a new requests?

2. Why doesn't something similar happen on Apache 1.3.x?

3. The "SS" column in the status page shows how many seconds have elapsed since the last request to that slot. For example, I have 9 "OPTIONS" slots all within a 10 second period. Why would cpsrvd check 9 times in 10 seconds?

4. A cPanel rep has contributed to this thread and did not confirm what you said. He confirmed somebody else's log showing cpsrvd checking FTP services every 8 mins. Go back and look, he wasn't talking about this issue.

If you have a better thread link that explains better please pass it on. As of now, I still think it seems strange.

Could a cPanel rep clear this up, if possible? :)

Thank you!