apache keeps on failing

[blueboxservers.com]

Is there still no fix for apache failing? It happens every couple of days, the apache monitor says its up but apache just dies in memory, really makes cpanel useless

 

[TRAIN YARD SOFTWARE]

same problem here

 

[kualo]

we had this - if you have resellers its probably because of an error with terminating accounts. Temporarily you can disable the terminate account feature, but we upgraded CPanel a couple of days ago and the problem resolved...

 

[blueboxservers.com]

no just one site on the server no resellers

 

[Brad]

Same problem here with a server thats been working flawless for 8 months..

Somethings up here?

Apache 1.3.26
redhat 7.1
cPanel5 Build 123
php 4.22

 

[avara]

We have the same problem on several servers now -- Apache now fails every couple of days, or at least once a week. Before this, it had never failed before.

The problem started when CPanel was upgraded.

 

[blueboxservers.com]

seems its affecting all OS we have:

Apache 1.3.26
redhat 7.3
cPanel5 Build 123
php 4.2.3

 

[Curious Too]

I have had apache fail a lot more than normal also. I thought it had something to do with the CPanel 5 upgrade at first, but after searching the access log for the server I see it's something else. I matched the entries in the access log to the time I received the apache warning from the server monitor and found this:

[Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

This is a snippet of what was in the log, it was many more hits. The timing of these entries are consistent with the timing from the apache &down& warnings from the server monitor. These entries appear in the access_log, not the error_log. I suspect it's somehow related to the new Slapper Worm, but I'm not sure.

 

[Curious Too]

duplicate post

 

[Brad]

Yes, confirmed here too, same error message at the time apache crashed here too..

Has anyone notified Nick though support, this should be sent to him as a ticket since I'm sure it is a problem with lots of servers.



[quote:52cf61dd76][i:52cf61dd76]Originally posted by Curious Too[/i:52cf61dd76]

I have had apache fail a lot more than normal also. I thought it had something to do with the CPanel 5 upgrade at first, but after searching the access log for the server I see it's something else. I matched the entries in the access log to the time I received the apache warning from the server monitor and found this:

[Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

This is a snippet of what was in the log, it was many more hits. The timing of these entries are consistent with the timing from the apache &down& warnings from the server monitor. These entries appear in the access_log, not the error_log. I suspect it's somehow related to the new Slapper Worm, but I'm not sure.[/quote:52cf61dd76]

 

[rpmws]

confirmed ..thanks for your posts guys. I have seen this crash httpd as well...and it's funny I searched my access_log and even found that same IP hit my box along with a few more. Must be a worm.

 

[Curious Too]

I don't think it's a CPanel issue. There was a discussion on the ISP-Linux list today regarding the issue -- basically the Slapper Worm probes are mimicing a mini DOS attack. Here's a post from the list:

&Recently I have been getting bombarded by slapper probes coming from various IP's around the world... These people are scanning one of our complete class c netblocks, and opening connections to every single one of our virtual domains at once... This is causing Apache to throttle the number of daemons, thereby causing a denial of service attack...&

You can try blocking the IPs but it gets tedious if you have a lot of servers to maintain. Any other suggestions?

 

[blueboxservers.com]

ours is not the slapper worm and has been happening for some weeks now

 

[itf]

[quote:a35aaaaf2f][i:a35aaaaf2f]Originally posted by Curious Too[/i:a35aaaaf2f]

I don't think it's a CPanel issue. There was a discussion on the ISP-Linux list today regarding the issue -- basically the Slapper Worm probes are mimicing a mini DOS attack. Here's a post from the list:

&Recently I have been getting bombarded by slapper probes coming from various IP's around the world... These people are scanning one of our complete class c netblocks, and opening connections to every single one of our virtual domains at once... This is causing Apache to throttle the number of daemons, thereby causing a denial of service attack...&

You can try blocking the IPs but it gets tedious if you have a lot of servers to maintain. Any other suggestions?
[/quote:a35aaaaf2f]
Slapper can not do anything with Cpanel boxes if you have security updates enabled in WHM; you shouldn't have to worry about this.

http://forums.cpanel.net/read.php?TID=4602

http://forums.cpanel.net/read.php?TID=4634

http://forums.cpanel.net/read.php?TID=4759

About Apache failures, Which modules have you compiled with your Apache?

 

[Curious Too]

[quote:5711b7ef9f][i:5711b7ef9f]Originally posted by itf[/i:5711b7ef9f]

[quote:5711b7ef9f][i:5711b7ef9f]Originally posted by Curious Too[/i:5711b7ef9f]

I don't think it's a CPanel issue. There was a discussion on the ISP-Linux list today regarding the issue -- basically the Slapper Worm probes are mimicing a mini DOS attack. Here's a post from the list:

&Recently I have been getting bombarded by slapper probes coming from various IP's around the world... These people are scanning one of our complete class c netblocks, and opening connections to every single one of our virtual domains at once... This is causing Apache to throttle the number of daemons, thereby causing a denial of service attack...&

You can try blocking the IPs but it gets tedious if you have a lot of servers to maintain. Any other suggestions?
[/quote:5711b7ef9f]
Slapper can not do anything with Cpanel boxes if you have security updates enabled in WHM; you shouldn't have to worry about this.

http://forums.cpanel.net/read.php?TID=4602

http://forums.cpanel.net/read.php?TID=4634

http://forums.cpanel.net/read.php?TID=4759

About Apache failures, Which modules you have compiled with your Apache?[/quote:5711b7ef9f]

Not the worm itself, but probes, supposedly from the worm. Everyone of my apache failures have coincided with these types of attacks:

203.69.74.172 - - [25/Sep/2002:16:09:53 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:09:54 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:09:56 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:09:57 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:09:57 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:09:59 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:00 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:00 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:02 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:02 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:02 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:04 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:05 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:05 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:11 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:12 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:14 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:14 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:17 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:19 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:19 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:22 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:23 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:23 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:23 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:23 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:24 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:24 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:24 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:24 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:28 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:28 -0400] &-& 408 - &-& &-&
203.69.74.172 - - [25/Sep/2002:16:10:28 -0400] &-& 408 - &-& &-&

The servers are updated and not infected.

 

[itf]

[quote:982e8904ce][i:982e8904ce]Originally posted by Curious Too[/i:982e8904ce]

Not the worm itself, but probes, supposedly from the worm. Everyone of my apache failures have coincided with these types of attacks:

203.69.74.172 - - [25/Sep/2002:16:09:53 -0400] &-& 408 - &-& &-&

The servers are updated and not infected.[/quote:982e8904ce]

What you wrote is not Slapper attempts:

If you find out like these tracks in your log files, it is Slapper

[13/Sep/2002 21:22:03 17376] [error] SSL handshake failed (server host.domain.com:443, client xxx.xxx.xxx.xxx) (OpenSSL library error follows)

[13/Sep/2002 21:22:03 17376] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long

 

[TRAIN YARD SOFTWARE]

[quote:30ff112bc5][i:30ff112bc5]Originally posted by blueboxservers.com[/i:30ff112bc5]

ours is not the slapper worm and has been happening for some weeks now[/quote:30ff112bc5]

same here, 1 month or so now

 

[itf]

[quote:94b3b99c8b][i:94b3b99c8b]Originally posted by TRAIN YARD SOFTWARE[/i:94b3b99c8b]

[quote:94b3b99c8b][i:94b3b99c8b]Originally posted by blueboxservers.com[/i:94b3b99c8b]

ours is not the slapper worm and has been happening for some weeks now[/quote:94b3b99c8b]

same here, 1 month or so now[/quote:94b3b99c8b]
Which modules have you compiled with your Apache?
Please let us know what is in your error_log?

 

[blueboxservers.com]

Apache/1.3.26 (Unix) mod_attach/0.9 mod_jk/1.2.0 mod_log_bytes/0.3 mod_bwlimited/1.0 PHP/4.2.3 FrontPage/5.0.2.2510 mod_ssl/2.8.10 OpenSSL/0.9.6b configured

 

[itf]

[quote:5a2d15a341][i:5a2d15a341]Originally posted by blueboxservers.com[/i:5a2d15a341]

Apache/1.3.26 (Unix) mod_attach/0.9 [b:5a2d15a341]mod_jk/1.2.0[/b:5a2d15a341] mod_log_bytes/0.3 mod_bwlimited/1.0 PHP/4.2.3 FrontPage/5.0.2.2510 mod_ssl/2.8.10 OpenSSL/0.9.6b configured [/quote:5a2d15a341]
I ckecked TRAIN YARD SOFTWARE too
Apache/1.3.26 (Unix) mod_gzip/1.3.19.1a [b:5a2d15a341]mod_jk/1.2.0[/b:5a2d15a341] mod_bwlimited/1.0 PHP/4.2.2 mod_log_bytes/0.3 FrontPage/5.0.2.2510 mod_ssl/2.8.9 OpenSSL/0.9.6b

It seems that the problem is due to Tomcat