The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

apache keeps on failing

Discussion in 'EasyApache' started by blueboxservers.com, Sep 24, 2002.

  1. blueboxservers.com

    Joined:
    Jul 5, 2002
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Is there still no fix for apache failing? It happens every couple of days, the apache monitor says its up but apache just dies in memory, really makes cpanel useless
     
  2. TRAIN YARD SOFTWARE

    TRAIN YARD SOFTWARE Well-Known Member

    Joined:
    Dec 20, 2001
    Messages:
    224
    Likes Received:
    0
    Trophy Points:
    16
    same problem here
     
  3. kualo

    kualo Member
    PartnerNOC

    Joined:
    Jun 2, 2002
    Messages:
    20
    Likes Received:
    2
    Trophy Points:
    3
    we had this - if you have resellers its probably because of an error with terminating accounts. Temporarily you can disable the terminate account feature, but we upgraded CPanel a couple of days ago and the problem resolved...
     
  4. blueboxservers.com

    Joined:
    Jul 5, 2002
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    no just one site on the server no resellers
     
  5. Brad

    Brad Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    231
    Likes Received:
    0
    Trophy Points:
    16
    Same problem here with a server thats been working flawless for 8 months..

    Somethings up here?

    Apache 1.3.26
    redhat 7.1
    cPanel5 Build 123
    php 4.22
     
  6. avara

    avara Well-Known Member

    Joined:
    Oct 28, 2001
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    We have the same problem on several servers now -- Apache now fails every couple of days, or at least once a week. Before this, it had never failed before.

    The problem started when CPanel was upgraded.
     
  7. blueboxservers.com

    Joined:
    Jul 5, 2002
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    seems its affecting all OS we have:

    Apache 1.3.26
    redhat 7.3
    cPanel5 Build 123
    php 4.2.3
     
  8. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I have had apache fail a lot more than normal also. I thought it had something to do with the CPanel 5 upgrade at first, but after searching the access log for the server I see it's something else. I matched the entries in the access log to the time I received the apache warning from the server monitor and found this:

    [Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

    This is a snippet of what was in the log, it was many more hits. The timing of these entries are consistent with the timing from the apache &down& warnings from the server monitor. These entries appear in the access_log, not the error_log. I suspect it's somehow related to the new Slapper Worm, but I'm not sure.
     
  9. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    duplicate post
     
  10. Brad

    Brad Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    231
    Likes Received:
    0
    Trophy Points:
    16
    Yes, confirmed here too, same error message at the time apache crashed here too..

    Has anyone notified Nick though support, this should be sent to him as a ticket since I'm sure it is a problem with lots of servers.



    [quote:52cf61dd76][i:52cf61dd76]Originally posted by Curious Too[/i:52cf61dd76]

    I have had apache fail a lot more than normal also. I thought it had something to do with the CPanel 5 upgrade at first, but after searching the access log for the server I see it's something else. I matched the entries in the access log to the time I received the apache warning from the server monitor and found this:

    [Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:32 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:33 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed Sep 25 07:22:34 2002] [error] [client 204.192.96.25] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

    This is a snippet of what was in the log, it was many more hits. The timing of these entries are consistent with the timing from the apache &down& warnings from the server monitor. These entries appear in the access_log, not the error_log. I suspect it's somehow related to the new Slapper Worm, but I'm not sure.[/quote:52cf61dd76]
     
  11. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    confirmed ..thanks for your posts guys. I have seen this crash httpd as well...and it's funny I searched my access_log and even found that same IP hit my box along with a few more. Must be a worm.
     
  12. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I don't think it's a CPanel issue. There was a discussion on the ISP-Linux list today regarding the issue -- basically the Slapper Worm probes are mimicing a mini DOS attack. Here's a post from the list:

    &Recently I have been getting bombarded by slapper probes coming from various IP's around the world... These people are scanning one of our complete class c netblocks, and opening connections to every single one of our virtual domains at once... This is causing Apache to throttle the number of daemons, thereby causing a denial of service attack...&

    You can try blocking the IPs but it gets tedious if you have a lot of servers to maintain. Any other suggestions?
     
  13. blueboxservers.com

    Joined:
    Jul 5, 2002
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    ours is not the slapper worm and has been happening for some weeks now
     
  14. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:a35aaaaf2f][i:a35aaaaf2f]Originally posted by Curious Too[/i:a35aaaaf2f]

    I don't think it's a CPanel issue. There was a discussion on the ISP-Linux list today regarding the issue -- basically the Slapper Worm probes are mimicing a mini DOS attack. Here's a post from the list:

    &Recently I have been getting bombarded by slapper probes coming from various IP's around the world... These people are scanning one of our complete class c netblocks, and opening connections to every single one of our virtual domains at once... This is causing Apache to throttle the number of daemons, thereby causing a denial of service attack...&

    You can try blocking the IPs but it gets tedious if you have a lot of servers to maintain. Any other suggestions?
    [/quote:a35aaaaf2f]
    Slapper can not do anything with Cpanel boxes if you have security updates enabled in WHM; you shouldn't have to worry about this.

    http://forums.cpanel.net/read.php?TID=4602

    http://forums.cpanel.net/read.php?TID=4634

    http://forums.cpanel.net/read.php?TID=4759

    About Apache failures, Which modules have you compiled with your Apache?
     
  15. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    [quote:5711b7ef9f][i:5711b7ef9f]Originally posted by itf[/i:5711b7ef9f]

    [quote:5711b7ef9f][i:5711b7ef9f]Originally posted by Curious Too[/i:5711b7ef9f]

    I don't think it's a CPanel issue. There was a discussion on the ISP-Linux list today regarding the issue -- basically the Slapper Worm probes are mimicing a mini DOS attack. Here's a post from the list:

    &Recently I have been getting bombarded by slapper probes coming from various IP's around the world... These people are scanning one of our complete class c netblocks, and opening connections to every single one of our virtual domains at once... This is causing Apache to throttle the number of daemons, thereby causing a denial of service attack...&

    You can try blocking the IPs but it gets tedious if you have a lot of servers to maintain. Any other suggestions?
    [/quote:5711b7ef9f]
    Slapper can not do anything with Cpanel boxes if you have security updates enabled in WHM; you shouldn't have to worry about this.

    http://forums.cpanel.net/read.php?TID=4602

    http://forums.cpanel.net/read.php?TID=4634

    http://forums.cpanel.net/read.php?TID=4759

    About Apache failures, Which modules you have compiled with your Apache?[/quote:5711b7ef9f]

    Not the worm itself, but probes, supposedly from the worm. Everyone of my apache failures have coincided with these types of attacks:

    203.69.74.172 - - [25/Sep/2002:16:09:53 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:09:54 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:09:56 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:09:57 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:09:57 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:09:59 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:00 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:00 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:02 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:02 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:02 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:04 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:05 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:05 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:11 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:12 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:13 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:14 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:14 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:17 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:18 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:19 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:19 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:22 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:23 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:23 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:23 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:23 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:24 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:24 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:24 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:24 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:28 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:28 -0400] &-& 408 - &-& &-&
    203.69.74.172 - - [25/Sep/2002:16:10:28 -0400] &-& 408 - &-& &-&

    The servers are updated and not infected.
     
  16. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:982e8904ce][i:982e8904ce]Originally posted by Curious Too[/i:982e8904ce]

    Not the worm itself, but probes, supposedly from the worm. Everyone of my apache failures have coincided with these types of attacks:

    203.69.74.172 - - [25/Sep/2002:16:09:53 -0400] &-& 408 - &-& &-&

    The servers are updated and not infected.[/quote:982e8904ce]

    What you wrote is not Slapper attempts:

    If you find out like these tracks in your log files, it is Slapper

    [13/Sep/2002 21:22:03 17376] [error] SSL handshake failed (server host.domain.com:443, client xxx.xxx.xxx.xxx) (OpenSSL library error follows)

    [13/Sep/2002 21:22:03 17376] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
     
  17. TRAIN YARD SOFTWARE

    TRAIN YARD SOFTWARE Well-Known Member

    Joined:
    Dec 20, 2001
    Messages:
    224
    Likes Received:
    0
    Trophy Points:
    16
    [quote:30ff112bc5][i:30ff112bc5]Originally posted by blueboxservers.com[/i:30ff112bc5]

    ours is not the slapper worm and has been happening for some weeks now[/quote:30ff112bc5]

    same here, 1 month or so now
     
  18. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:94b3b99c8b][i:94b3b99c8b]Originally posted by TRAIN YARD SOFTWARE[/i:94b3b99c8b]

    [quote:94b3b99c8b][i:94b3b99c8b]Originally posted by blueboxservers.com[/i:94b3b99c8b]

    ours is not the slapper worm and has been happening for some weeks now[/quote:94b3b99c8b]

    same here, 1 month or so now[/quote:94b3b99c8b]
    Which modules have you compiled with your Apache?
    Please let us know what is in your error_log?
     
  19. blueboxservers.com

    Joined:
    Jul 5, 2002
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Apache/1.3.26 (Unix) mod_attach/0.9 mod_jk/1.2.0 mod_log_bytes/0.3 mod_bwlimited/1.0 PHP/4.2.3 FrontPage/5.0.2.2510 mod_ssl/2.8.10 OpenSSL/0.9.6b configured
     
  20. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:5a2d15a341][i:5a2d15a341]Originally posted by blueboxservers.com[/i:5a2d15a341]

    Apache/1.3.26 (Unix) mod_attach/0.9 [b:5a2d15a341]mod_jk/1.2.0[/b:5a2d15a341] mod_log_bytes/0.3 mod_bwlimited/1.0 PHP/4.2.3 FrontPage/5.0.2.2510 mod_ssl/2.8.10 OpenSSL/0.9.6b configured [/quote:5a2d15a341]
    I ckecked TRAIN YARD SOFTWARE too
    Apache/1.3.26 (Unix) mod_gzip/1.3.19.1a [b:5a2d15a341]mod_jk/1.2.0[/b:5a2d15a341] mod_bwlimited/1.0 PHP/4.2.2 mod_log_bytes/0.3 FrontPage/5.0.2.2510 mod_ssl/2.8.9 OpenSSL/0.9.6b

    It seems that the problem is due to Tomcat
     
Loading...

Share This Page