Runaway Apache

Sat, 18 Dec 2004 13:25:28 -0800

In the last week or so, my FreeBSD 4.10p5 server has started locking up every day or so, to the point where it becomes unusable and must be rebooted to resume service. I've noticed that when it happens, the following type of thing appears in /var/log/httpd-error.log

[Sat Dec 18 13:00:18 2004] [error] child process 248 still did not exit, sending a SIGKILL
[Sat Dec 18 13:00:18 2004] [error] child process 464 still did not exit, sending a SIGKILL
[Sat Dec 18 13:00:18 2004] [error] child process 465 still did not exit, sending a SIGKILL
[Sat Dec 18 13:00:18 2004] [error] child process 466 still did not exit, sending a SIGKILL
[Sat Dec 18 13:00:18 2004] [error] child process 554 still did not exit, sending a SIGKILL
[Sat Dec 18 13:00:18 2004] [error] child process 2121 still did not exit, sending a SIGKILL
[Sat Dec 18 13:00:18 2004] [error] child process 2126 still did not exit, sending a SIGKILL
[Sat Dec 18 13:00:18 2004] [error] child process 2129 still did not exit, sending a SIGKILL
[Sat Dec 18 13:00:18 2004] [error] child process 2130 still did not exit, sending a SIGKILL

and on and on and on...

So, apparently, Apache is having a problem and taking down the server. I eventually also see complaints about user 80 exceeding the kern.maxfiles limit. That's probably when the server really takes a dump.

I've been monitoring top periodically to see if I can spot the problem, and an httpd process was consuming 95% of the cpu just now, and sure enough the above messages were streaming through the log. I also notice the following:

httpd in free(): warning: chunk is already free
httpd in free(): warning: chunk is already free
httpd in free(): warning: chunk is already free
httpd in free(): warning: chunk is already free
httpd in free(): warning: chunk is already free
httpd in free(): warning: chunk is already free
httpd in free(): warning: chunk is already free


Now, my problem is I'm not sure how to find the source of this problem and stop it. A google search on those log entries suggests that it may be an attempt to exploit the Chunk Handling Vulnerability, but my Apache is newer than the fix for that.

http://httpd.apache.org/info/security_bulletin_20020617.txt

Anyhow, can anyone give me a suggestion on how to troubleshoot this? Thanks!

Here is the Apache in question:

Server Version: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7e PHP/4.3.10 DAV/1.0.3

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to