httpd restart every 8 mins?

[mctDarren]

I am seeing this error in the apache error log about every 8 mins:

httpd/error_log.1:[Sat Dec 23 11:22:11 2006] [error] [client 127.0.0.1] request 
failed: erroneous characters after protocol string: GET / HTTP/2.0; killall 
-TERM httpd; sleep 2; killall -9 httpd; /etc/rc.d/init.d/httpd stop; 
/etc/rc.d/init.d/httpd startssl; /usr/local/apache/bin/apachectl startssl

Normally I would think this is a ddos attack on apache, but all the requests are coming from localhost. I'm wondering if this has something to do with cpanel's monitor for http? Looked around for a cron that might be running this and see none.

 

[jayh38]

Have you looked in mod security log and other logs at the time of the failure to see the url of the get request? This should narrow down the bad script or activity with the bad code. It should be easily found if its taking 8 mins to hog resources and cause a restart.

Mod security would track this easily and show the link of the file.

 

[tweakservers]

do you have any cron running at the server background?

 

[mctDarren]

I can't find any record of these requests in any mod_security logs.

After a little more searching I do see it looks like they occur at the same time as the cpanel monitor (or what I believe to be so):

access_log:127.0.0.1 - - [24/Dec/2006:12:41:37 -0500] "GET / HTTP/1.0" 200 1807

access_log:127.0.0.1 - - [24/Dec/2006:12:41:37 -0500] "GET / HTTP/2.0; killall 
-TERM httpd; sleep 2; killall -9 httpd; /etc/rc.d/init.d/httpd stop; 
/etc/rc.d/init.d/httpd startssl; /usr/local/apache/bin/apachectl startssl" 
400 299

error_log:[Sun Dec 24 12:41:37 2006] [error] [client 127.0.0.1] 
request failed: erroneous characters after protocol string: GET / HTTP/2.0; 
killall -TERM httpd; sleep 2; killall -9 httpd; /etc/rc.d/init.d/httpd stop; 
/etc/rc.d/init.d/httpd startssl; /usr/local/apache/bin/apachectl startssl

I'm starting to wonder if one of our other techs was trying something out and neglected to inform me. It's obviously not harmful or malicious - just jamming up the error_log. My search continues...

 

[mctDarren]

do you have any cron running at the server background?

No, nothing out of the ordinary running at all.

 

[mctDarren]

Forgot to post a resolve response to this - one of our techs manually added https to checkservd on this box and the script was causing an error. Removing /etc/chkserv.d/https resolves, or adding a correct check would work as well.