The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HTTPD (apache) will not start anymore!!!

Discussion in 'EasyApache' started by sihosting, Aug 8, 2004.

  1. sihosting

    sihosting Member

    Joined:
    Jul 30, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hey,

    My httpd will not load anymore i was warned today for a http attack but i never recived any maxclients notices.. But when i reboot or restart service it just sits failed even tried to reset it via SSH, keep getting service monitor emails reporting its failed and attempted to reboot ... I belive its someone doing sometype of attack anyway i can find out who connects to my http server? and get there ip addresses? Any ideas are infact helpful!!

    Kind Regards
     
  2. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Try looking in the /etc/httpd/logs folder at those logs. See what the error is when it attempts to start up and post here. Can't tell you much without any info.
     
  3. sihosting

    sihosting Member

    Joined:
    Jul 30, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Could be a possible problem to do see, cant seem to open or download this error_log file to big to download and pico will not open it .. taking ages to load + ive got 43.97 CPU Load! Everything running slowly :S
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Use the following command in ssh

    tail -100 error_log
     
  5. sihosting

    sihosting Member

    Joined:
    Jul 30, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hey,

    Thanks, heres what i have and its still DOWN! :(

    Theres alot more on the top of this but i cant fit it in seeming posts can only contain a certin few charaters per post.
    And thats its :) any ideas
     
  6. sihosting

    sihosting Member

    Joined:
    Jul 30, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hey, i just viewd my access_log and it seems a certin IP address is sending this alot!

    Could that be casuing my apache to overload?

    Michio
     
  7. katz_global

    katz_global Well-Known Member
    PartnerNOC

    Joined:
    Oct 18, 2003
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hosting from: Panama, Hong Kong, Singapore, Malays
    thats a windows based worm I believe and if your system is linux you can safely ignore that. Although you might want to see if your users email is pounding the server with it.
     
  8. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    I think it's a attack, but that would not cause httpd to brake.

    What's this say? /usr/local/apache/bin/httpd -t
     
  9. bigpy2003

    bigpy2003 Well-Known Member

    Joined:
    Feb 22, 2004
    Messages:
    124
    Likes Received:
    0
    Trophy Points:
    16
    looks like they're trying to buffer overflow you. all the hex (\x05 etc) is system code. what it does is overwrites memory in your cpu, because of errors in programs. the simplest way to stop this is to block the ip(s) doing this.

    from ssh:
    netstat -n

    It'll list all the ip addresses connected. From there, you find which ip you want to block and use a firewall to ban it.

    I'm not sure if you're using windows or linux like the other guy said.

    On linux I use iptables to drop packets from that address.

    On windows, I'm sure they have a firewall to block it.

    This used to happen to me quite a bit. I developed a php script for linux that automatically banned them.
     
  10. katz_global

    katz_global Well-Known Member
    PartnerNOC

    Joined:
    Oct 18, 2003
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hosting from: Panama, Hong Kong, Singapore, Malays
    this seems to be a TCP SYN attack launched at your server

    Your Apache server is restarted frequently by SIGUSR1 or SIGTERM signal. This is most
    likely done by the kernel or the Apache httpd parent process itself.

    However, "netstat -an" does show clues of this problem. A tcpdump on TCP port 80 traffic
    confirmes this observation. Each of the IP address found is throwing at least
    50 TCP SYN handshake packets per seconds to this server and this server is replying with
    SYN ACK packet. However, no final ACK packet is received. Though the OS itself is able to
    handle this amount of TCP SYN but it seems Apache httpd is not.

    if you have iptables rules running on this server, you can insert extra rules.

    This is what I have done:
    iptables -I INPUT 1 -s ***.**.***.*** -j DROP
    iptables -I INPUT 1 -s ***.**.***.*** -j DROP

    ### INPUT chain before ###
    root@****** [/usr/local/apache/logs]# iptables -L INPUT -n -v
    Chain INPUT (policy ACCEPT 4761K packets, 282M bytes)
    pkts bytes target prot opt in out source destination
    4761K 282M acctboth all -- * * 0.0.0.0/0 0.0.0.0/0

    ### INPUT chain after ###
    root@mrmiagi [/home/spades]# iptables -L INPUT -n -v
    Chain INPUT (policy ACCEPT 4826K packets, 288M bytes)
    pkts bytes target prot opt in out source destination
    20783 831K DROP all -- * * ***.**.***.*** 0.0.0.0/0
    21076 843K DROP all -- * * ***.**.***.*** 0.0.0.0/0
    4826K 288M acctboth all -- * * 0.0.0.0/0 0.0.0.0/0

    You can remove the INPUT chain extra rules by executing
    iptables -D INPUT -s ***.**.***.*** -j DROP
    iptables -D INPUT -s ***.**.***.*** -j DROP

    After the blocking, monitor for 30 minutes and see if Apache httpd does not receive
    SIGUSR1 or SIGTERM anymore.
     
  11. bigpy2003

    bigpy2003 Well-Known Member

    Joined:
    Feb 22, 2004
    Messages:
    124
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page