mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
I am seeing this error in the apache error log about every 8 mins:
Code:
httpd/error_log.1:[Sat Dec 23 11:22:11 2006] [error] [client 127.0.0.1] request 
failed: erroneous characters after protocol string: GET / HTTP/2.0; killall 
-TERM httpd; sleep 2; killall -9 httpd; /etc/rc.d/init.d/httpd stop; 
/etc/rc.d/init.d/httpd startssl; /usr/local/apache/bin/apachectl startssl
Normally I would think this is a ddos attack on apache, but all the requests are coming from localhost. I'm wondering if this has something to do with cpanel's monitor for http? Looked around for a cron that might be running this and see none.
 

jayh38

Well-Known Member
Mar 3, 2006
1,213
0
166
Have you looked in mod security log and other logs at the time of the failure to see the url of the get request? This should narrow down the bad script or activity with the bad code. It should be easily found if its taking 8 mins to hog resources and cause a restart.

Mod security would track this easily and show the link of the file.
 

tweakservers

Well-Known Member
Mar 30, 2006
379
0
166
do you have any cron running at the server background?
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
I can't find any record of these requests in any mod_security logs. :(

After a little more searching I do see it looks like they occur at the same time as the cpanel monitor (or what I believe to be so):

Code:
access_log:127.0.0.1 - - [24/Dec/2006:12:41:37 -0500] "GET / HTTP/1.0" 200 1807

access_log:127.0.0.1 - - [24/Dec/2006:12:41:37 -0500] "GET / HTTP/2.0; killall 
-TERM httpd; sleep 2; killall -9 httpd; /etc/rc.d/init.d/httpd stop; 
/etc/rc.d/init.d/httpd startssl; /usr/local/apache/bin/apachectl startssl" 
400 299

error_log:[Sun Dec 24 12:41:37 2006] [error] [client 127.0.0.1] 
request failed: erroneous characters after protocol string: GET / HTTP/2.0; 
killall -TERM httpd; sleep 2; killall -9 httpd; /etc/rc.d/init.d/httpd stop; 
/etc/rc.d/init.d/httpd startssl; /usr/local/apache/bin/apachectl startssl
I'm starting to wonder if one of our other techs was trying something out and neglected to inform me. :) It's obviously not harmful or malicious - just jamming up the error_log. My search continues...
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
Forgot to post a resolve response to this - one of our techs manually added https to checkservd on this box and the script was causing an error. Removing /etc/chkserv.d/https resolves, or adding a correct check would work as well.