The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

httpd restart every 8 mins?

Discussion in 'General Discussion' started by mctDarren, Dec 24, 2006.

  1. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    I am seeing this error in the apache error log about every 8 mins:
    Code:
    httpd/error_log.1:[Sat Dec 23 11:22:11 2006] [error] [client 127.0.0.1] request 
    failed: erroneous characters after protocol string: GET / HTTP/2.0; killall 
    -TERM httpd; sleep 2; killall -9 httpd; /etc/rc.d/init.d/httpd stop; 
    /etc/rc.d/init.d/httpd startssl; /usr/local/apache/bin/apachectl startssl
    Normally I would think this is a ddos attack on apache, but all the requests are coming from localhost. I'm wondering if this has something to do with cpanel's monitor for http? Looked around for a cron that might be running this and see none.
     
  2. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Have you looked in mod security log and other logs at the time of the failure to see the url of the get request? This should narrow down the bad script or activity with the bad code. It should be easily found if its taking 8 mins to hog resources and cause a restart.

    Mod security would track this easily and show the link of the file.
     
  3. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    16
    do you have any cron running at the server background?
     
  4. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    I can't find any record of these requests in any mod_security logs. :(

    After a little more searching I do see it looks like they occur at the same time as the cpanel monitor (or what I believe to be so):

    Code:
    access_log:127.0.0.1 - - [24/Dec/2006:12:41:37 -0500] "GET / HTTP/1.0" 200 1807
    
    access_log:127.0.0.1 - - [24/Dec/2006:12:41:37 -0500] "GET / HTTP/2.0; killall 
    -TERM httpd; sleep 2; killall -9 httpd; /etc/rc.d/init.d/httpd stop; 
    /etc/rc.d/init.d/httpd startssl; /usr/local/apache/bin/apachectl startssl" 
    400 299
    
    error_log:[Sun Dec 24 12:41:37 2006] [error] [client 127.0.0.1] 
    request failed: erroneous characters after protocol string: GET / HTTP/2.0; 
    killall -TERM httpd; sleep 2; killall -9 httpd; /etc/rc.d/init.d/httpd stop; 
    /etc/rc.d/init.d/httpd startssl; /usr/local/apache/bin/apachectl startssl
    
    I'm starting to wonder if one of our other techs was trying something out and neglected to inform me. :) It's obviously not harmful or malicious - just jamming up the error_log. My search continues...
     
  5. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    No, nothing out of the ordinary running at all.
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Forgot to post a resolve response to this - one of our techs manually added https to checkservd on this box and the script was causing an error. Removing /etc/chkserv.d/https resolves, or adding a correct check would work as well.
     
Loading...

Share This Page