Odd message in error.log - Usage: host.....

D

dwilko

Verified User
Joined
Sep 7, 2005
Messages
57
Hi

One of our servers is having strange messages in the error log, also one of the httpd process's is using all of the CPU.

This is what we see in the error.log.

Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]
[-R number] hostname [server]
-a is equivalent to -v -t *
-c specifies query class for non-IN data
-C compares SOA records on authoritative nameservers
-d is equivalent to -v
-l lists all hosts in a domain, using AXFR
-i IP6.INT reverse lookups
-N changes the number of dots allowed before root lookup is done
-r disables recursive processing
-R specifies number of retries for UDP packets
-t specifies the query type
-T enables TCP/IP mode
-v enables verbose output
-w specifies to wait forever for a reply
-W specifies how long to wait for a reply
-4 use IPv4 query transport only
-6 use IPv6 query transport only
-s a SERVFAIL response should stop query

Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]
[-R number] hostname [server]
-a is equivalent to -v -t *
-c specifies query class for non-IN data
-C compares SOA records on authoritative nameservers
-d is equivalent to -v
-l lists all hosts in a domain, using AXFR
-i IP6.INT reverse lookups
-N changes the number of dots allowed before root lookup is done
-r disables recursive processing
-R specifies number of retries for UDP packets
-t specifies the query type
-T enables TCP/IP mode
-v enables verbose output
-w specifies to wait forever for a reply
-W specifies how long to wait for a reply
-4 use IPv4 query transport only
-6 use IPv6 query transport only
-s a SERVFAIL response should stop query
Click to expand...


this is repeated the error log over and over again.

if i restart apache its fine for about 10mins then starts with that again.

has anyone seen this before or have any ideas on what's going on and how to fix?


Regards

David
 
What is calling the host command? It must be passing bad arguments.
 
Hi

That is the problem, I have no idea what is calling it other than its in the Apache log.
Doesn't seem to matching anything in the access log, unless its under one of the vhosts where the access is taking place but then I would think if it was one of the vhosts it should be in the vhost error log and not the non vhost error log?

It shouldn't be any php code calling as I have the shell commands disabled in php.


disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source
Click to expand...

Regards

David
 
Probably will be very hard to track down. You could just change e_error to e_error(0). Might also have to change display_errors to off.
 
Hi

I don't think that will help.

just stopping it from showing an error log wont fix the problem.

1) while this is happening the CPU on the server is 90-100%

2) The problem is I don't know which of my users site's is doing this.

3) What else is going on, as for an error to show in /var/log/httpd/error.log only the "host" command is giving an error, makes me wonder what else is happening.

Regards

David
 
Could be a DOS attack on your server? I'm just picking straws here.

Jeff
 
This is the error in httpd error_log file

HTML: 
Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]
            [-R number] [-m flag] hostname [server]
       -a is equivalent to -v -t ANY
       -c specifies query class for non-IN data
       -C compares SOA records on authoritative nameservers
       -d is equivalent to -v
       -l lists all hosts in a domain, using AXFR
       -i IP6.INT reverse lookups
       -N changes the number of dots allowed before root lookup is done
       -r disables recursive processing
       -R specifies number of retries for UDP packets
       -s a SERVFAIL response should stop query
       -t specifies the query type
       -T enables TCP/IP mode
       -v enables verbose output
       -w specifies to wait forever for a reply
       -W specifies how long to wait for a reply
       -4 use IPv4 query transport only
       -6 use IPv6 query transport only
       -m set memory debugging flag (trace|record|usage)
 
If it's an outbound DOS attack from one of the sites you host , you should be able to see a large discrepancy in bandwidth consumption on one of the users, at least that will give you a starting point.
 
You must log in or register to reply here.
Back
Top