patrik
Verified User
- Joined
- Sep 6, 2006
- Messages
- 126
Apache is freaking out
The symptom is very much like the thread "apache high load problems" in this forum but I would like to start a new thread.
It happends randomly as it seems, often twice a day. The first thing that happends is that I get an SMS alarm saying the mail server is down or anything like that. So I try to login with SSH and it goes reeeeaaaally slow. Finally I'm in and I'm able to run top (slow as hell).
It shows:
1441 processes:2 running, 1434 sleeping, 5 zombie
Swap: 19G Total, 2104M Used, 17G Free, 10% Inuse, 224K In, 124K Out
1441 processes(!), everytime this occurs the amount of processes is above 1000. Check Swap usage, 2104MB! There's like no Free RAM left and ~200MB inactive. The tool for checking I/O (gstat) shows a 100% load on the disk. Probably it has much to do with the fact that it has to write/read swap all the time.
Okay, I have checked apache error_log and the interesting part is this:
The CPU load is high but not terribly high. The only module that is not added by default to Apache (by DA) that we have loaded is FastCGI but I have tried to disable this module but no luck.
I have googled a lot and read about DoS attacks and such, could it be the problem?
Or is it MySQL as the neighbour forum thread guesses?
Hmm, actually, when I was writing this the damn thing occured again, server-status on apache showed very many 'W' (where apache is sending replies) so I tried a new thing, restart MySQL and after a while I reloaded server-status and almost every 'W' was gone.
I have upgraded apache to 1.3.37 and MySQL is running 4.1.14 and it's PHP 4.4.2.
The symptom is very much like the thread "apache high load problems" in this forum but I would like to start a new thread.
It happends randomly as it seems, often twice a day. The first thing that happends is that I get an SMS alarm saying the mail server is down or anything like that. So I try to login with SSH and it goes reeeeaaaally slow. Finally I'm in and I'm able to run top (slow as hell).
It shows:
1441 processes:2 running, 1434 sleeping, 5 zombie
Swap: 19G Total, 2104M Used, 17G Free, 10% Inuse, 224K In, 124K Out
1441 processes(!), everytime this occurs the amount of processes is above 1000. Check Swap usage, 2104MB! There's like no Free RAM left and ~200MB inactive. The tool for checking I/O (gstat) shows a 100% load on the disk. Probably it has much to do with the fact that it has to write/read swap all the time.
Okay, I have checked apache error_log and the interesting part is this:
[Fri Dec 15 13:15:53 2006] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HT
ML error page (OpenSSL library error follows)
[Fri Dec 15 13:15:53 2006] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [H
int: speaking HTTP to HTTPS port!?]
^GOut of memory (Needed 8164 bytes)
^GOut of memory (Needed 8164 bytes)
^GOut of memory (Needed 8164 bytes)
httpd in free(): error: page is already free
[Fri Dec 15 14:08:38 2006] [notice] child pid 78790 exit signal Abort trap (6)
httpd in free(): error: page is already free
[Fri Dec 15 14:11:36 2006] [notice] child pid 8307 exit signal Abort trap (6)
httpd in free(): error: page is already free
httpd in free(): error: page is already free
httpd in free(): error: page is already free
httpd in free(): error: page is already free
[Fri Dec 15 14:35:47 2006] [notice] child pid 18018 exit signal Abort trap (6)
[Fri Dec 15 14:35:47 2006] [notice] child pid 15772 exit signal Abort trap (6)
[Fri Dec 15 14:35:47 2006] [notice] child pid 15479 exit signal Abort trap (6)
[Fri Dec 15 14:35:47 2006] [notice] child pid 15433 exit signal Abort trap (6)
[Fri Dec 15 14:50:53 2006] [error] [client 213.246.61.91] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Fri Dec 15 14:50:54 2006] [error] [client 213.246.61.91] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Fri Dec 15 14:50:54 2006] [error] [client 213.246.61.91] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Fri Dec 15 14:50:54 2006] [error] [client 213.246.61.91] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Fri Dec 15 14:52:56 2006] [warn] child process 75976 still did not exit, sending a SIGTERM
[Fri Dec 15 14:52:56 2006] [warn] child process 75978 still did not exit, sending a SIGTERM
[Fri Dec 15 14:52:56 2006] [warn] child process 75979 still did not exit, sending a SIGTERM
[Fri Dec 15 14:52:56 2006] [warn] child process 76653 still did not exit, sending a SIGTERM
[Fri Dec 15 14:52:56 2006] [warn] child process 76655 still did not exit, sending a SIGTERM
.... and it goes on like this and then there's a row like this:
httpd in free(): error: recursive call
... and then it continues with SIGTERM rows..
The CPU load is high but not terribly high. The only module that is not added by default to Apache (by DA) that we have loaded is FastCGI but I have tried to disable this module but no luck.
I have googled a lot and read about DoS attacks and such, could it be the problem?
Or is it MySQL as the neighbour forum thread guesses?
Hmm, actually, when I was writing this the damn thing occured again, server-status on apache showed very many 'W' (where apache is sending replies) so I tried a new thing, restart MySQL and after a while I reloaded server-status and almost every 'W' was gone.
I have upgraded apache to 1.3.37 and MySQL is running 4.1.14 and it's PHP 4.4.2.
Last edited: