Can error_log be extended? Looking for script using host command.

[Richard G]

Anybody seen this sometime?
I got this mail from my firewall CSF/LFD:

Subject: lfd on server.mydomain.nl: Excessive resource usage: ppxxxxxx (32543 (Parent PID:32050))

Time: Wed Jan 15 17:12:26 2014 +0100
Account: ppxxxxxx
Resource: Virtual Memory Size
Exceeded: 250 > 150 (MB)
Executable: /usr/bin/host
Command Line: host -W 1 157.56.93.93
PID: 32543 (Parent PID:32050)
Killed: No

This was only one time. A few days later I want looking for something else, and find a flood of this in the apache error_log:

Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]
[-R number] [-m flag] hostname [server]
-a is equivalent to -v -t ANY
-c specifies query class for non-IN data
-C compares SOA records on authoritative nameservers
-d is equivalent to -v
-l lists all hosts in a domain, using AXFR
-i IP6.INT reverse lookups
-N changes the number of dots allowed before root lookup is done
-r disables recursive processing
-R specifies number of retries for UDP packets
-s a SERVFAIL response should stop query
-t specifies the query type
-T enables TCP/IP mode
-v enables verbose output
-w specifies to wait forever for a reply
-W specifies how long to wait for a reply
-4 use IPv4 query transport only
-6 use IPv6 query transport only
-m set memory debugging flag (trace|record|usage)

There is no time with it, no script which is using it, no domain name where it's coming from and no timestamp, you only see what I just posted. So I dont know what is causing this error notice and I want to get rid of it.

I tried searching in /var/log/messages, in httpd access_log, and in the users httpd logs with the commandline mentioned in the firewall message and also searched for system() and exec in those logs. Nothing. Cron log, nothing.

Looking for "host" is not doable, because every file points to localhost, the hostname or domain name of the server, wich also has "host" in it. Then almost every file in the users directory has something like ihost =, dbhost =, host = or localhost in them, so too many results.

I presume it's caused by something in the users account from which I have the firewall notice, but he has 20 domains in there with wordpress and prestashop installations in them.

Is there no way to extend the logging of apache, so we get a bit more info then only the result log of a badly used host command?
Or any other way to find where exactly it's coming from? Because I'm out of idea's.

 

[Cliff Spark]

Host is a DNS lookup utility.

Type:

man host

 

[Richard G]

I know that. But that's not an answer to my question.

 

[Richard G]

Nobody a clue on how I can find what is trying to run that host command every time?

Since it's on the error_log (which only looks at /var/www/html) could it have something to do with phpmyadmin and/or roundcube?