The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/usr/local/apache/bin/httpd -t

Discussion in 'EasyApache' started by netlook, May 24, 2005.

  1. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    I noticed today strange procesess most intensive in my system:

    root 2.19 7.39 2.0
    Top Process %CPU 46.0 /usr/local/apache/bin/httpd -t
    Top Process %CPU 30.0 /usr/local/apache/bin/httpd -t
    Top Process %CPU 21.0 /usr/local/apache/bin/httpd -t

    Can somebody explain me what is this?

    Thanks a lot!
    Tom
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It could be a php exploit. You really need to identify the PID of one of those processes, then run:

    lsof | grep PID

    It will likely spew out a load of normal apache files, but if it's an exploit, one of them won't be right. Likely, it will have a file open in /tmp or /var/tmp of /dev/shm
     
  3. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Do you have any idea how to identyfi the pid of this process? There is nothing strange when I do ps -aux, but today I had a kernel panic about some zombie who eat all memory (as a tech form DC said).

    Thanks
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Oh, I see, you're looking at the stats within cPanel. I guess that could be innocent. You really need to monitor the server from shell using top

    You can usually tell if you've got problem services by running the following and seeing if any unexpected ports are open:

    netstat -lpn
     
  5. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Did u ever run a httpd -t for syntax check?

    Anup
     
  6. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Try ps -u nobody

    and ps -axfu

    And post your results. That could be apache, as Cpanel's process list is slow, and a joke really, or it could be a hanging around process running from a spawned apache process.
     
  7. jroes

    jroes Member

    Joined:
    Feb 9, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I do something like this every time I get on one of my servers (there always seem to be some rogue nobody processes with psybnc's running in them)

    Code:
    ps auxw | grep nobody
    I find the pid of the most-suspicious looking httpd process (sometimes they even have extra characters or arguments padded at the end of them), and do this:

    Code:
    ls -la /proc/pid
    So, if the process id was something like 1533, then I would type
    Code:
    ls -la /proc/1533
    You should be able to tell just by looking at that whether it's legitimate. You might also be able to get further information from
    Code:
    cat /proc/pid/environ
    Good luck! :)
     
Loading...

Share This Page