The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

tracking Apache abuse with SuPHP off

Discussion in 'EasyApache' started by BigLebowski, Sep 20, 2008.

  1. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    hi there

    Every day at 19.18 an Apache thread pops up and sticks at 50% cpu for an hour or so grinding the server to a halt. SuPHP is off so I can't see who is responsible. My strategy so far is to take a snapshop of all domlogs accessed within the minute the abuse starts, but the server is busy and there are too many to go through by hand. I can't find any suspicious cron jobs so this is likely to be some sort of external bot or user checking fastidiously every day.

    Can I switch on SuPHP just before the problem starts and switch it off again when it's over? It is likely to crash a number of sites but as long as I can turn off SuPHP again afterwards without any lasting effects it will be worth finding out who the idiot is. Where can I enable SuPHP please imn WHM?

    Cheers
    Dude
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Turning it on/off is not a simple setting. As for your strategy, you should be able to parse the logs for a specific time of day after the fact to find out more.
    This command should give you a nice list of all connections/IPs at that moment.
    Code:
    
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr |more
    
    I think if you do not have this installed, http://www.configserver.com/cp/csf.html you should. This will kill that process within seconds after it is alerted to the problem/spike.

    Anyone who's had a bad spike with this installed will tell you, CSF/LFD send you several email alerts with lots of details.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The main problem is that without suPHP the file system doesn't have that information. To find out more information you're probably going to need a snapshot of the apache status page under WHM > Apache Status
     
  4. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    hi there

    Many thanks for your input. The Apache Status is of limited use because there are usually too many sites listed. However just before it happens tonight i will restart the webserver to reduce the number of sites shown.

    I have the process id but an lsof of it just dumps hundreds of open domlog foiles open by Apache. How can I use lsof to exclude all that noise and show me (hopefully) the source of the problem in /home?

    Dude
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    lsof -p PID | grep /home

    However, if apache has cached the page/script then it won't show up in lsof.
     
Loading...

Share This Page