The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/usr/local/apache/bin/httxd -DSSL

Discussion in 'EasyApache' started by InternetPEI, Nov 5, 2007.

  1. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Woke up this morning to this causing high server loads on one server (50+ loads) with 3 processes running.. What causes this httxd to start?
     
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Are you sure it's "httxd" and not "httpd" ?

    Did you check the files date and size or maybe even see if its a script rather than a valid binary?. Do this and let us know what you find.
     
  3. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Yep..

    thats what got me confused.. I never saw the httxd before.. There was 3 processes run by nobody using up to 50x cpu each one.
     
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    "Check the files date and size or maybe even see if its a script rather than a valid binary?. Do this and let us know what you find."

    :rolleyes:
     
  5. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    There is no httxd file to check/compare size against..
     
  6. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    You mean nothing in the /usr/local/apache/bin exists like that?. Do you see anything weird stitting in the /tmp or /var/tmp folders ?

    Just for kicks see if you can do a "locate httxd" or "which httxd"
     
  7. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    tmp was the first thing i checked after trying to locate.. that server has been working good since.. but still confusing as to what started it.
     
  8. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Happened again :(

    Here is a screenshot from ssh
     

    Attached Files:

  9. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
    You may want to strace and lsof the processes :
    strace -p <<processID>>
    lsof -p <<processID>>
     
  10. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Thanks :)

    Will give it a try once it starts again :)
     
  11. MichaelShanks

    MichaelShanks Well-Known Member
    PartnerNOC

    Joined:
    Aug 20, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    it will be a compromised php script hiding its process name,
     
  12. MichaelShanks

    MichaelShanks Well-Known Member
    PartnerNOC

    Joined:
    Aug 20, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    sorry, a php script executing a perl script or a script of some other kind

    I would recommend implementing mod_security and ensuring all scripts on your server are up to date (if possible)
     
  13. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Tracked it back to a few old versions of PHPBB. One client wasnt using his and removed it, another upgraded and the problem seems to have went away.

    Apache error logs showed what was going on at those times and I was able to track it to the users.

    Thanks for everyones help :)
     
  14. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    You might want to install Nobody Check and grab yourself Upload Guardian.
    Both will greatly add protection to your machine.
     
  15. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Thanks :) I will
     
Loading...

Share This Page