Jump to content

HTTPD using 99% CPU


tommy.boucher

Recommended Posts

Hi,

 

I'm usig APACHE 2.**, on Fedora Core, using PHP 5, and CGI Script (.pl).

 

In my virtualhost, I configure suexec for each web site, so when executing .pl file, I know who is using the CPU using the user, but when this is php (or maybe the problem is somewhere else), if the CPU for HTTPD is 99%, I can't know from where it come. Using Netstat I can see that my httpd openned a connection to a IRC server, but I can't find from each website of my server it's coming (I have around 30 web site) because HTTPD is running as "apache" user!

 

Can anyone help me? Solution?

 

Thanks a lot!

:'( :'( :'(

Link to comment
Share on other sites

Exampleof virtualhos:

<VirtualHost xx.xx.xx.xx:80>

        ServerName domain.com

        ServerAlias www.domain.com

        ServerAdmin support@domain.com

        DocumentRoot /data/SITES/www.domain.com/WWWROOT

        CustomLog "|/usr/local/sbin/cronolog /data/LOGS/www.domain.com/%y%m%d.log" IIS

        SuExecUserGroup domain.com domain.com

        <Directory "/data/SITES/www.domain.com/WWWROOT/">

                AllowOverride Options FileInfo AuthConfig Limit

                Options MultiViews SymLinksIfOwnerMatch IncludesNoExec

                php_admin_flag engine on

                php_admin_value open_basedir "/data/SITES/www.domain.com/"

                php_admin_flag display_errors on

        </Directory>

        ScriptAlias /cgi-bin/ "/data/SITES/www.domain.com/cgi-bin/"

        <Directory "/data/SITES/www.domain.com/cgi-bin/">

                AllowOverride None

                Options None

                Order allow,deny

                Allow from all

        </Directory>

</VirtualHost>

 

Probably used for DDoS or Spam shit, I really need to find from where it's coming!

Link to comment
Share on other sites

I think you may have to use a trial and error approach. When under a DDOS attack (massive server usage levels) I personally had to disable each site on the server one by one to determine where the attack was aimed at. You may have to do the same thing to find the location of the problem. I cant see a simple php script causing this issue, more like a 3rd party manipulating a script. I would check the access logs on each site to look at page request times and unusual patterns. Modification of the apache environment variables may have some undesired effects but if the server has been running fine before without any mods then you can rule this out.

Link to comment
Share on other sites

Oki thx everyone for you comment,

 

the point is that there's around 200 web site on this server, I can't disable it one by one (when I disable one, I have to restart the service, and the attack stop... I can't wait until the attack's back.

 

Second point, I would like to install something to help me monitoring it, to know from where is it

 

It's probably a IRC bot, but how to find the script on the server, or how to find the php script that call the external script?

 

My backup script is using PHP so if I put "max execution time" to 1 min, it won't be enough for me server to backup =-)

 

Any idea?

Link to comment
Share on other sites

Yep -

 

Put a firewall on the server and block outgoing traffic.

 

Typically a webserver *only* needs inbound over port 80 (and maybe 443).

If you block all external traffic (traffic going from your webserver outside to the internet), teh IRC script wherever it is will not be able to connect and thus fail, and hopefully should not use up your server resources.

 

If your running linux see: http://wiki.kartbuilding.net/index.php/Iptables_Firewall

The one line should do it:    iptables -A OUTPUT -j REJECT

 

If your on windows, you might have to get additional firewall software. I use(d) kerio which allows for fine grained control over ports.

 

-steve

 

Link to comment
Share on other sites

This is what I did, but I really want to find from each website it's coming, where's the hole!!!!

 

Patching isn't always the better solution =-)

 

I found that the problem start after someone forgot the firewall down... but is there any way to monitor apache enough to know from where it's coming? :P

Link to comment
Share on other sites

question, how many servers, or other computers/devices use the internet on your network? I have experiacned a few problems simular to that, although when I looked at my traffic I found no traffic, no outbound, no inbound. Shortly after I accendtly unplugged my server and my iptables stopped working, I still got the same thing but even still I find no outbound or inbound. Although I have found that yum was updating so seeing as your on fedora I would suggest checking that. Once I finally got yum to stop, then it stopped.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.