too many httpd process, load average=overload

W

wazburn

Verified User
Joined
Nov 26, 2011
Messages
70
within 24 hours of monitoring, it seems my load average does not go down, I seek advice and help.

I use:
centos 6
with xcache + memcached

Dedicated:
Dual Processor Intel Xeon 3Ghz
2GB RAM


my sites are not really that much traffic. I run 6 sites here

Code: 
top - 03:00:08 up 14:45,  1 user,  [COLOR="red"]load average: 89.90, 107.69, 80.06[/COLOR]
Tasks: 333 total,  70 running, 263 sleeping,   0 stopped,   0 zombie
Cpu(s): 94.0%us,  5.5%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.4%si,  0.0%st
Mem:   2054680k total,  1801632k used,   253048k free,    38116k buffers
Swap:  4128760k total,   219744k used,  3909016k free,   311912k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 1962 mysql     20   0 2859m 192m 3716 S 41.7  9.6 425:58.22 mysqld
25080 apache    20   0  292m  22m  13m R 13.7  1.1   0:11.36 httpd
25152 apache    20   0  290m  16m 7684 R 13.7  0.8   0:16.74 httpd
25283 apache    20   0  290m  23m  13m R 13.7  1.2   0:04.23 httpd
25155 apache    20   0  290m  17m 8420 R 13.4  0.9   0:17.10 httpd
25662 apache    20   0  290m  13m 3908 R 10.0  0.7   0:03.81 httpd
25457 apache    20   0  292m  17m 8472 R  8.4  0.8   0:05.23 httpd
24795 apache    20   0  298m  35m  20m R  8.1  1.8   0:15.97 httpd
24510 apache    20   0  289m  20m  12m S  7.8  1.0   0:32.35 httpd
25316 apache    20   0  290m  18m 9524 R  7.5  0.9   0:09.49 httpd
24349 apache    20   0  290m  21m  12m R  7.2  1.1   0:35.57 httpd
25315 apache    20   0  290m  15m 6480 R  7.2  0.8   0:13.37 httpd
25194 apache    20   0  290m  20m  12m R  6.2  1.0   0:11.23 httpd
25245 apache    20   0  294m  25m  13m R  6.2  1.2   0:08.63 httpd
25585 apache    20   0  290m  16m 7412 R  6.2  0.8   0:01.73 httpd
25762 apache    20   0  289m  11m 4284 R  6.2  0.6   0:00.22 httpd
25592 apache    20   0  292m  18m 9580 R  5.9  0.9   0:01.53 httpd
25311 apache    20   0  289m  14m 5844 R  5.6  0.7   0:11.48 httpd
25431 apache    20   0  294m  31m  18m R  5.6  1.6   0:06.76 httpd
25489 apache    20   0  290m  14m 5844 R  5.6  0.7   0:06.31 httpd
23899 apache    20   0  290m  21m  13m R  5.3  1.1   0:46.03 httpd
24501 apache    20   0  292m  21m  12m R  5.3  1.1   0:21.89 httpd
24588 apache    20   0  290m  24m  14m R  5.3  1.2   0:24.85 httpd
24401 apache    20   0  290m  19m  10m R  5.0  1.0   0:41.82 httpd
25219 apache    20   0  290m  12m 4240 R  5.0  0.6   0:17.14 httpd
25282 apache    20   0  289m  12m 4300 R  5.0  0.6   0:16.17 httpd
25675 apache    20   0  290m  13m 4420 R  5.0  0.7   0:03.25 httpd
25757 apache    20   0  290m  15m 7348 R  5.0  0.8   0:00.28 httpd
25760 apache    20   0  290m  12m 3904 R  5.0  0.6   0:00.44 httpd
25473 apache    20   0  289m  14m 5496 R  4.7  0.7   0:10.24 httpd
25738 apache    20   0  289m  12m 4176 R  4.7  0.6   0:00.61 httpd
24118 apache    20   0  293m  25m  15m R  4.4  1.2   0:52.25 httpd

Code: 
[root@server ~]# tail /var/log/httpd/error_log
sh: /usr/local/bin/convert: No such file or directory
sh: /usr/local/bin/convert: No such file or directory
sh: /usr/local/bin/convert: No such file or directory
sh: /usr/local/bin/convert: No such file or directory
sh: /usr/local/bin/convert: No such file or directory
sh: /usr/local/bin/convert: No such file or directory
sh: /usr/local/bin/convert: No such file or directory
sh: /usr/local/bin/convert: No such file or directory
sh: /usr/local/bin/convert: No such file or directory
sh: /usr/local/bin/convert: No such file or directory

112.205.127.53 <<< this is my home IP not server IP
Code: 
[root@server ~]# tail /var/log/directadmin/error.log
2011:12:05-10:54:53: Timeout from from 112.205.127.53 : last flagged: Command::doCommand(/CMD_DB)
2011:12:05-11:16:13: Timeout from from 112.205.127.53 : last flagged: getlock(./data/admin/login.hist) : finished
2011:12:05-11:19:27: Timeout from from 112.205.127.53 : last flagged: getlock(./data/users/myuser/login.hist) : finished
2011:12:05-11:29:54: Timeout from from 112.205.127.53 : last flagged: getlock(./data/admin/admin.usage) : finished
2011:12:05-11:31:37: removing old lock: ./data/admin/admin.usage.lock (age: 107 seconds)
2011:12:05-11:36:09: Timeout from from 112.205.127.53 : last flagged: Log::~Log : done
2011:12:05-11:36:10: *** Segmentation fault *** Log::~Log : done : User: admin : (null) : (null) : (null) : (null)
2011:12:05-11:36:35: Timeout from from 112.205.127.53 : last flagged: getDirFilesAndDirs(/usr/local/directadmin/data/sessions, *tlf, *tdlf, diradmin) : done
2011:12:05-23:40:04: Timeout from from 112.205.127.53 : last flagged: Log::~Log : done
2011:12:05-23:40:41: Timeout from from 112.205.127.53 : last flagged: Log::~Log : done

I also set DA security:
Time before failed login count resets 60 seconds
Remove an IP from the blacklist after 15 minutes
Blacklist IPs for excessive login attempts after 10 login attempts.


This is my last check after 10 min from "top" result above

Code: 
top - 03:13:08 up 14:58,  1 user, [COLOR="red"] load average: 13.36, 26.72, 49.27[/COLOR]
Tasks: 239 total,   3 running, 235 sleeping,   0 stopped,   1 zombie
Cpu0  : 49.3%us,  0.3%sy,  0.0%ni, 50.3%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu1  : 85.8%us,  4.0%sy,  0.0%ni, 10.2%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu2  : 76.6%us, 11.9%sy,  0.0%ni, 10.9%id,  0.3%wa,  0.0%hi,  0.3%si,  0.0%st
Cpu3  : 32.3%us,  4.0%sy,  0.0%ni, 61.1%id,  2.0%wa,  0.0%hi,  0.7%si,  0.0%st
Mem:   2054680k total,  1255692k used,   798988k free,    66244k buffers
Swap:  4128760k total,   214648k used,  3914112k free,   466836k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
26774 apache    20   0  290m  16m 7600 R 89.8  0.8   0:36.46 httpd
26691 apache    20   0  292m  19m  10m S 55.7  1.0   0:11.14 httpd
27024 apache    20   0  289m  12m 4168 R 50.7  0.6   0:01.53 httpd
 1962 mysql     20   0 2858m 191m 3748 S 49.1  9.5 433:31.79 mysqld
26993 apache    20   0  289m  18m  10m S  3.6  0.9   0:03.95 httpd
26885 apache    20   0  291m  19m  10m S  2.0  1.0   0:01.79 httpd
26985 apache    20   0  289m  14m 6112 S  1.3  0.7   0:00.47 httpd
25931 apache    20   0     0    0    0 Z  1.0  0.0   0:30.31 httpd <defunct>
26782 apache    20   0  292m  18m 9236 S  1.0  0.9   0:00.44 httpd
26635 apache    20   0  290m  17m 8828 S  0.7  0.9   0:15.89 httpd
26770 apache    20   0  292m  17m 8432 S  0.7  0.9   0:00.59 httpd
26920 root      20   0 15072 1276  868 R  0.7  0.1   0:00.64 top
26981 apache    20   0  289m  14m 6704 S  0.7  0.7   0:00.41 httpd
  827 root      20   0     0    0    0 S  0.3  0.0   0:04.44 jbd2/dm-2-8
 2220 named     20   0  392m  12m 1380 S  0.3  0.6   0:54.78 named
14454 root      20   0  285m 8684 4540 S  0.3  0.4   0:06.76 httpd
26006 apache    20   0  291m  24m  14m S  0.3  1.2   0:29.99 httpd
26341 apache    20   0  290m  20m  10m S  0.3  1.0   0:29.10 httpd
26620 apache    20   0  288m  17m 9540 S  0.3  0.9   0:22.29 httpd
26629 apache    20   0  289m  17m 8780 S  0.3  0.9   0:18.27 httpd
26640 apache    20   0  290m  17m 8816 S  0.3  0.9   0:17.33 httpd
26687 apache    20   0  290m  20m  11m S  0.3  1.0   0:16.53 httpd
26783 apache    20   0  288m  18m  10m S  0.3  0.9   0:15.70 httpd
26868 apache    20   0  290m  17m 8340 S  0.3  0.9   0:09.89 httpd
26897 apache    20   0  289m  15m 6884 S  0.3  0.7   0:16.09 httpd
26913 apache    20   0  289m  13m 5740 S  0.3  0.7   0:01.69 httpd
26924 apache    20   0  288m  16m 8592 S  0.3  0.8   0:00.19 httpd
26931 apache    20   0  290m  17m 9864 S  0.3  0.9   0:00.22 httpd
26978 apache    20   0  288m  12m 4844 S  0.3  0.6   0:00.11 httpd
26987 apache    20   0  289m  12m 4788 S  0.3  0.6   0:00.14 httpd
26990 apache    20   0  289m  18m 9576 S  0.3  0.9   0:00.22 httpd
26997 apache    20   0  289m  13m 5500 S  0.3  0.7   0:00.16 httpd
27002 apache    20   0  289m  13m 5300 S  0.3  0.7   0:01.64 httpd
27003 apache    20   0  286m 6344 1660 S  0.3  0.3   0:00.04 httpd
27018 apache    20   0  286m 6092 1592 S  0.3  0.3   0:00.01 httpd


20 minutes later check:
Code: 
top - 03:46:32 up 15:31,  1 user,  load average: 7.30, 3.70, 9.01
Tasks: 244 total,   7 running, 236 sleeping,   0 stopped,   1 zombie
Cpu0  : 84.0%us, 16.0%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu1  : 96.4%us,  3.6%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu2  : 98.7%us,  1.3%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu3  : 93.1%us,  5.6%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  1.3%si,  0.0%st
Mem:   2054680k total,  1876576k used,   178104k free,   351724k buffers
Swap:  4128760k total,   212524k used,  3916236k free,   626576k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 1962 mysql     20   0 2858m 191m 3752 S 62.5  9.5 447:34.63 mysqld
29899 apache    20   0  290m  18m 9888 R 59.2  0.9   0:02.72 httpd
30132 apache    20   0  289m  12m 4300 R 55.6  0.6   0:01.80 httpd
29880 apache    20   0  292m  19m  10m S 49.3  0.9   0:16.92 httpd
29910 apache    20   0  292m  22m  13m R 44.0  1.1   0:15.74 httpd
30028 apache    20   0  290m  14m 5744 R 44.0  0.7   0:14.56 httpd
29933 apache    20   0  290m  18m 9592 R 42.0  0.9   0:19.82 httpd
29694 apache    20   0     0    0    0 Z 12.6  0.0   0:22.36 httpd <defunct>
29926 apache    20   0  289m  13m 5176 S 12.6  0.7   0:18.15 httpd
30133 apache    20   0  289m  14m 6128 S  2.0  0.7   0:00.13 httpd
29920 apache    20   0  290m  17m 8336 S  1.7  0.9   0:18.69 httpd
30090 apache    20   0  289m  17m 9256 S  1.3  0.9   0:00.27 httpd
30124 apache    20   0  289m  16m 8864 S  1.3  0.8   0:01.11 httpd
30130 apache    20   0  289m  13m 5544 R  1.3  0.7   0:00.05 httpd
 2220 named     20   0  392m  13m 2028 S  1.0  0.7   1:03.30 named

for 24 hours I dont know if this is normal, usually I just get load average of 1.0 2.0 2.0

it started when I use videoswiper to embed 4k+ videos and load average climbs high at the time of job, but it has been 24 hours and still had high load average.

I dont know if this could be a DOS attack or something similar,if this is please advice.


help
 
Enable server-status (httpd-status) and see what site and pages are mostly requested. Your site might be under a (D)DoS attack.
 
zEitEr said:
Enable server-status (httpd-status) and see what site and pages are mostly requested. Your site might be under a (D)DoS attack.
Click to expand...

thankz

edited /etc/httpd/conf/extra/httpd-info.conf

<Location /[myown]-status>
SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .example.com
</Location>

browsed:
http://myip/[myown]-status

returned:
Code: 
Server Version: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/1.0.0-fips DAV/2 PHP/5.2.17
Server Built: Nov 23 2011 20:54:48

Current Time: Tuesday, 06-Dec-2011 04:24:59 CST
Restart Time: Tuesday, 06-Dec-2011 04:24:54 CST
Parent Server Generation: 0
Server uptime: 5 seconds
32 requests currently being processed, 0 idle workers

KKKKCKKKKKKKCCCCKCKCKKKWKKWKKWSKWSSS............................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
..

Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process

PID Key:

   32721 in state: K ,   32722 in state: K ,   32723 in state: K 
   32724 in state: K ,   32725 in state: C ,   32726 in state: K 
   32727 in state: K ,   32728 in state: K ,   32729 in state: K 
   32730 in state: K ,   32731 in state: K ,   32732 in state: K 
   32733 in state: C ,   32734 in state: C ,   32735 in state: C 
   32736 in state: C ,   32737 in state: K ,   32738 in state: C 
   32739 in state: K ,   32740 in state: C ,   32741 in state: K 
   32742 in state: K ,   32743 in state: K ,   32744 in state: W 
   32745 in state: K ,   32746 in state: K ,   32747 in state: W 
   32748 in state: K ,   32749 in state: K ,   32750 in state: W 
   32751 in state: S ,   32752 in state: K ,   32753 in state: W 
   32754 in state: S ,   32755 in state: S ,   0 in state: S 


To obtain a full report with current status information you need to use the ExtendedStatus On directive.
SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current sessions: 0
subcaches: 32, indexes per subcache: 133
index usage: 0%, cache usage: 0%
total sessions stored since starting: 0
total sessions expired since starting: 0
total (pre-expiry) sessions scrolled out of the cache: 0
total retrieves since starting: 0 hit, 0 miss
total removes since starting: 0 hit, 0 miss

also:

Code: 
[root@server ~]# netstat -n | grep :80 |wc -l
1288
[root@server ~]# netstat -n | grep :80 | grep SYN |wc -l
23


at the moment making this reply my load average drops (strange):
Code: 
top - 04:30:08 up 16:15,  1 user,  load average: 2.20, 3.12, 3.54
Tasks: 202 total,   1 running, 200 sleeping,   0 stopped,   1 zombie
Cpu(s): 17.5%us,  4.8%sy,  0.0%ni, 77.4%id,  0.3%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   2054680k total,  1602028k used,   452652k free,   302356k buffers
Swap:  4128760k total,   204364k used,  3924396k free,   630840k cached
 
zEitEr said:
You should enable ExtendedStatus:

Code: 
ExtendedStatus On

to see details.
Click to expand...

thanks,
ExtendedStatus On

Code: 
Current Time: Tuesday, 06-Dec-2011 11:15:47 CST
Restart Time: Tuesday, 06-Dec-2011 11:15:38 CST
Parent Server Generation: 0
Server uptime: 8 seconds
Total accesses: 318 - Total Traffic: 2.1 MB
CPU Usage: u2.27 s.23 cu0 cs0 - 31.3% CPU load
39.8 requests/sec - 267.3 kB/second - 6.7 kB/request
63 requests currently being processed, 37 idle workers

__C_CC__CKCCC__R____K_C__CC_C_____WKCC__CC_C_CCCCCC__C_CKC_CCCCC
KCRCCCC_C____C_KKWCCKKKCK__WWKKKKKK_............................
................................................................
................................................................
................................................................
................................................................
................................................................
..

the rest I think its inappropriate to post here, most are adult related contents.

what should I expect below if there is a suspected DOS attack or similar?
I see now under VHOST - shared.domain, localhost, and some of my sites I run
 
zEitEr said:
Hide domains then, otherwise you'd better Google with a request "how to detect ddos attack".
Click to expand...

thanks, this is the full result:

Code: 
Current Time: Tuesday, 06-Dec-2011 11:15:47 CST
Restart Time: Tuesday, 06-Dec-2011 11:15:38 CST
Parent Server Generation: 0
Server uptime: 8 seconds
Total accesses: 318 - Total Traffic: 2.1 MB
CPU Usage: u2.27 s.23 cu0 cs0 - 31.3% CPU load
39.8 requests/sec - 267.3 kB/second - 6.7 kB/request
63 requests currently being processed, 37 idle workers

__C_CC__CKCCC__R____K_C__CC_C_____WKCC__CC_C_CCCCCC__C_CKC_CCCCC
KCRCCCC_C____C_KKWCCKKKCK__WWKKKKKK_............................
................................................................
................................................................
................................................................
................................................................
................................................................
..

Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process

Srv	PID	Acc	M	CPU 	SS	Req	Conn	Child	Slot	Client	VHost	Request
0-0	25859	0/9/9	_ 	0.40	0	1	0.0	0.02	0.02 	116.29.61.230	shared.domain	NULL
1-0	25860	0/7/7	_ 	0.00	0	1	0.0	0.02	0.02 	116.29.61.230	shared.domain	NULL
2-0	25861	2/9/9	C 	0.01	1	2	10.1	0.07	0.07 	125.164.13.225	localhost	NULL
3-0	25862	0/17/17	_ 	0.02	0	1	0.0	0.23	0.23 	220.255.1.155	shared.domain	NULL
4-0	25863	2/8/8	C 	0.00	1	1	0.0	0.05	0.05 	116.29.61.230	shared.domain	NULL
5-0	25864	13/15/15	C 	0.01	0	1	43.0	0.06	0.06 	113.53.16.105	localhost	NULL
6-0	25865	0/13/13	_ 	0.01	0	2	0.0	0.17	0.17 	220.255.1.105	shared.domain	NULL
7-0	25866	0/6/6	_ 	0.00	0	1	0.0	0.02	0.02 	116.29.61.230	shared.domain	NULL
8-0	25867	2/8/8	C 	0.00	0	2	0.0	0.04	0.04 	223.207.194.190	shared.domain	NULL
9-0	25868	10/13/13	K 	0.02	0	2	26.6	0.04	0.04 	219.146.175.138	www.HIDDEN2.com	GET /media_thumbs/25.jpg HTTP/1.1
10-0	25869	2/4/4	C 	0.00	1	1	0.0	0.00	0.00 	116.29.61.230	shared.domain	NULL
11-0	25870	11/11/11	C 	0.01	0	31	29.5	0.03	0.03 	113.53.16.105	localhost	NULL
12-0	25871	2/4/4	C 	0.00	0	2	0.0	0.01	0.01 	116.29.61.230	shared.domain	NULL
13-0	25872	0/3/3	_ 	0.11	1	254	0.0	0.02	0.02 	66.249.71.40	www.HIDDEN4.com	GET /view/1031/little-white-anal-chick-a-big-black-dick-2-mae-v
14-0	25873	0/4/4	_ 	0.00	0	1	0.0	0.04	0.04 	202.29.238.134	shared.domain	NULL
15-0	25874	0/2/2	R 	0.00	1	3	0.0	0.02	0.02 	?	?	..reading..
16-0	25875	0/4/4	_ 	0.00	0	1	0.0	0.05	0.05 	202.29.238.134	shared.domain	NULL
17-0	25876	0/4/4	_ 	0.00	0	1	0.0	0.04	0.04 	202.29.238.134	shared.domain	NULL
18-0	25877	0/4/4	_ 	0.00	0	1	0.0	0.05	0.05 	202.29.238.134	shared.domain	NULL
19-0	25878	0/4/4	_ 	0.00	0	1	0.0	0.00	0.00 	116.29.61.230	shared.domain	NULL
20-0	25879	9/9/9	K 	0.01	0	2	33.7	0.03	0.03 	219.146.175.138	www.HIDDEN2.com	GET /media_thumbs/27.jpg HTTP/1.1
21-0	25880	0/5/5	_ 	0.00	0	2	0.0	0.06	0.06 	220.255.1.167	shared.domain	NULL
22-0	25881	2/4/4	C 	0.00	0	513	17.1	0.04	0.04 	180.183.86.176	shared.domain	NULL
23-0	25882	0/4/4	_ 	0.00	0	1	0.0	0.04	0.04 	85.56.9.58	shared.domain	NULL
24-0	25883	0/4/4	_ 	0.00	0	1	0.0	0.01	0.01 	70.173.170.72	shared.domain	NULL
25-0	25884	2/4/4	C 	0.00	0	512	17.1	0.03	0.03 	180.183.86.176	shared.domain	NULL
26-0	25885	2/2/2	C 	0.00	1	1422	16.0	0.02	0.02 	113.131.214.94	shared.domain	NULL
27-0	25886	0/2/2	_ 	0.00	1	4	0.0	0.01	0.01 	125.212.40.43	localhost	NULL
28-0	25887	0/2/2	_ 	0.00	0	750	0.0	0.02	0.02 	113.131.214.94	shared.domain	NULL
29-0	25888	0/2/2	_ 	0.00	0	4	0.0	0.02	0.02 	101.109.156.101	shared.domain	NULL
30-0	25889	0/2/2	_ 	0.00	0	810	0.0	0.02	0.02 	113.131.214.94	shared.domain	NULL
31-0	25890	0/3/3	_ 	0.00	1	269	0.0	0.03	0.03 	85.56.9.58	shared.domain	NULL
32-0	25891	0/3/3	_ 	0.15	0	1	0.0	0.00	0.00 	116.29.61.230	shared.domain	NULL
33-0	25892	0/4/4	_ 	0.00	1	2	0.0	0.04	0.04 	220.255.1.103	shared.domain	NULL
34-0	25893	0/1/1	W 	0.00	3	0	0.0	0.01	0.01 	70.173.170.72	www.HIDDEN4.com	GET /view/2496/japanese-girls-horny-japanese-babe-deeply-****ed
35-0	25894	5/5/5	K 	0.00	0	1	86.7	0.08	0.08 	85.56.9.58	www.HIDDEN4.com	GET /media_thumbs/2557.jpg HTTP/1.1
36-0	25895	2/2/2	C 	0.00	1	3	0.0	0.00	0.00 	70.173.170.72	shared.domain	NULL
37-0	25896	2/2/2	C 	0.00	1	3	0.0	0.00	0.00 	70.173.170.72	shared.domain	NULL
38-0	25897	0/2/2	_ 	0.00	1	4	0.0	0.01	0.01 	70.173.170.72	shared.domain	NULL
39-0	25898	0/3/3	_ 	0.00	0	3	0.0	0.03	0.03 	220.255.1.128	shared.domain	NULL
40-0	25899	2/2/2	C 	0.00	1	6	0.0	0.00	0.00 	70.173.170.72	shared.domain	NULL
41-0	25900	2/2/2	C 	0.00	1	2	19.0	0.02	0.02 	114.79.50.176	shared.domain	NULL
42-0	25901	0/2/2	_ 	0.00	1	7	0.0	0.01	0.01 	70.173.170.72	shared.domain	NULL
43-0	25902	2/2/2	C 	0.00	1	522	17.1	0.02	0.02 	180.183.86.176	shared.domain	NULL
44-0	25903	0/2/2	_ 	0.00	0	3	0.0	0.01	0.01 	114.79.50.176	shared.domain	NULL
45-0	25904	4/4/4	C 	0.00	0	0	4.0	0.00	0.00 	114.79.1.56	localhost	NULL
46-0	25905	2/2/2	C 	0.00	1	7	0.0	0.00	0.00 	70.173.170.72	shared.domain	NULL
47-0	25906	3/3/3	C 	0.00	0	565	26.5	0.03	0.03 	113.53.16.105	localhost	NULL
48-0	25907	2/2/2	C 	0.00	1	19	0.0	0.00	0.00 	70.173.170.72	shared.domain	NULL
49-0	25908	2/2/2	C 	0.00	1	14	0.0	0.00	0.00 	70.173.170.72	shared.domain	NULL
50-0	25909	2/2/2	C 	0.13	1	300	0.0	0.00	0.00 	115.134.12.130	localhost	NULL
51-0	25910	0/2/2	_ 	0.00	1	10	0.0	0.01	0.01 	101.109.156.101	shared.domain	NULL
52-0	25911	0/1/1	_ 	0.25	0	1586	0.0	0.00	0.00 	180.76.5.66	www.HIDDEN2.com	GET /tag/bride/?page=1&sort=adddate HTTP/1.1
53-0	25912	2/2/2	C 	0.00	0	966	20.5	0.02	0.02 	113.131.214.94	shared.domain	NULL
54-0	25913	0/2/2	_ 	0.00	1	10	0.0	0.02	0.02 	85.56.9.58	shared.domain	NULL
55-0	25914	2/2/2	C 	0.00	1	15	17.0	0.02	0.02 	125.164.13.225	localhost	NULL
56-0	25915	1/4/4	K 	0.32	0	1	1.3	0.00	0.00 	115.134.12.130	www.HIDDEN1.com	GET /js/ajax_modals/colorbox.css HTTP/1.1
57-0	25916	2/2/2	C 	0.00	1	9	15.0	0.01	0.01 	125.164.13.225	localhost	NULL
58-0	25917	0/3/3	_ 	0.00	0	12	0.0	0.03	0.03 	220.255.1.161	shared.domain	NULL
59-0	25918	3/3/3	C 	0.00	1	2	13.8	0.01	0.01 	113.53.16.105	localhost	NULL
60-0	25919	2/2/2	C 	0.00	1	15	15.8	0.02	0.02 	202.29.238.134	shared.domain	NULL
61-0	25920	2/2/2	C 	0.00	1	3	15.8	0.02	0.02 	202.29.238.134	shared.domain	NULL
62-0	25921	2/2/2	C 	0.00	1	3	15.1	0.01	0.01 	125.164.13.225	localhost	NULL
63-0	25922	2/2/2	C 	0.01	0	25	0.8	0.00	0.00 	115.134.12.130	localhost	NULL
64-0	25923	4/4/4	K 	0.00	0	0	6.7	0.01	0.01 	114.79.1.56	www.HIDDEN6.com	GET /media/player/skins/default/sd.png HTTP/1.1
65-0	25924	2/2/2	C 	0.00	1	13	14.5	0.01	0.01 	125.164.13.225	localhost	NULL
66-0	25925	0/1/1	R 	0.73	1	831	0.0	0.00	0.00 	?	?	..reading..
67-0	25926	2/3/3	C 	0.00	0	517	19.1	0.04	0.04 	180.183.86.176	shared.domain	NULL
68-0	25927	2/2/2	C 	0.00	0	514	19.1	0.02	0.02 	180.183.86.176	shared.domain	NULL
69-0	25928	2/2/2	C 	0.00	0	9	8.9	0.01	0.01 	113.53.16.105	localhost	NULL
70-0	25929	2/2/2	C 	0.00	0	3	19.1	0.02	0.02 	101.109.156.101	shared.domain	NULL
71-0	25930	0/2/2	_ 	0.00	0	3	0.0	0.01	0.01 	113.179.24.23	localhost	NULL
72-0	25931	2/2/2	C 	0.00	0	8	8.9	0.01	0.01 	113.53.16.105	localhost	NULL
73-0	25932	0/1/1	_ 	0.18	1	301	0.0	0.00	0.00 	66.249.71.20	www.HIDDEN3.com	GET /view/3404/pretty-indian-babe-will-do-anything-to-win-the-b
74-0	25933	0/2/2	_ 	0.00	0	3	0.0	0.02	0.02 	113.179.24.23	localhost	NULL
75-0	25934	0/2/2	_ 	0.00	0	3	0.0	0.02	0.02 	113.179.24.23	localhost	NULL
76-0	25935	0/2/2	_ 	0.00	0	3	0.0	0.02	0.02 	113.179.24.23	localhost	NULL
77-0	25936	2/2/2	C 	0.00	0	3	11.6	0.01	0.01 	114.79.17.169	shared.domain	NULL
78-0	25937	0/1/1	_ 	0.00	0	2	0.0	0.00	0.00 	184.82.140.210	localhost	GET /server-status HTTP/1.1
79-0	25938	1/1/1	K 	0.00	0	4	5.7	0.01	0.01 	115.134.12.130	www.HIDDEN1.com	GET /templates/frontend/default/css/stylesheet.css HTTP/1.1
80-0	25939	2/2/2	K 	0.00	0	1	34.2	0.03	0.03 	85.56.9.58	www.HIDDEN4.com	GET /media_thumbs/6678.jpg HTTP/1.1
81-0	25940	0/0/0	W 	0.00	1	0	0.0	0.00	0.00 	220.255.2.35	www.HIDDEN6.com	POST /templates/frontend/moneymaker/js/related_videos.php HTTP/
82-0	25941	2/2/2	C 	0.00	0	3	9.2	0.01	0.01 	125.212.40.43	localhost	NULL
83-0	25942	2/2/2	C 	0.00	0	3	14.7	0.01	0.01 	101.109.156.101	shared.domain	NULL
84-0	25943	1/1/1	K 	0.00	0	2	14.7	0.01	0.01 	101.109.156.101	www.HIDDEN4.com	GET /media_thumbs/6491.jpg HTTP/1.1
85-0	25944	1/1/1	K 	0.00	0	21	13.4	0.01	0.01 	125.212.40.43	www.HIDDEN3.com	GET /media_thumbs/4013.jpg HTTP/1.1
86-0	25945	2/2/2	K 	0.00	0	3	4.2	0.00	0.00 	115.134.12.130	www.HIDDEN1.com	GET /js/tabber/jquery-tabber.css HTTP/1.1
87-0	25946	0/0/0	C 	0.00	0	0	0.0	0.00	0.00 			
88-0	25947	1/1/1	K 	0.00	0	2	11.1	0.01	0.01 	85.56.9.58	www.HIDDEN4.com	GET /media_thumbs/351.jpg HTTP/1.1
89-0	25948	0/1/1	_ 	0.06	0	123	0.0	0.00	0.00 	66.249.71.20	www.HIDDEN3.com	GET /view/851/blonde-manila-with-two-dildos.html HTTP/1.1
90-0	25949	0/1/1	_ 	0.07	0	76	0.0	0.00	0.00 	157.55.17.145	www.HIDDEN6.com	GET /videos?search_type=videos&search_query=Cam&o=tr&page=10 HT
91-0	25950	0/0/0	W 	0.00	0	0	0.0	0.00	0.00 	112.204.135.182	www.HIDDEN3.com	GET /view/5455/mature-filipina-barmaid-****s-young-foreigner.ht
92-0	25951	0/0/0	W 	0.00	0	0	0.0	0.00	0.00 	184.82.140.210	localhost	GET /server-status HTTP/1.1
93-0	25952	1/1/1	K 	0.00	0	2	13.4	0.01	0.01 	125.212.40.43	www.HIDDEN3.com	GET /media_thumbs/4013.jpg HTTP/1.1
94-0	25953	1/1/1	K 	0.00	0	2	10.2	0.01	0.01 	113.131.214.94	www.HIDDEN4.com	GET /media_thumbs/416.jpg HTTP/1.1
95-0	25954	1/1/1	K 	0.00	0	2	0.0	0.00	0.00 	125.212.40.43	www.HIDDEN3.com	GET /media_thumbs/10258.jpg HTTP/1.1
96-0	25955	1/1/1	K 	0.00	0	2	15.8	0.02	0.02 	125.212.40.43	www.HIDDEN3.com	GET /media_thumbs/9576.jpg HTTP/1.1
97-0	25956	1/1/1	K 	0.00	0	2	14.5	0.01	0.01 	101.109.156.101	www.HIDDEN4.com	GET /media_thumbs/4681.jpg HTTP/1.1
98-0	25957	1/1/1	K 	0.00	0	2	15.8	0.02	0.02 	125.212.40.43	www.HIDDEN3.com	GET /media_thumbs/9576.jpg HTTP/1.1
Srv	Child Server number - generation
PID	OS process ID
Acc	Number of accesses this connection / this child / this slot
M	Mode of operation
CPU	CPU usage, number of seconds
SS	Seconds since beginning of most recent request
Req	Milliseconds required to process most recent request
Conn	Kilobytes transferred this connection
Child	Megabytes transferred this child
Slot	Total megabytes transferred this slot
SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current sessions: 0
subcaches: 32, indexes per subcache: 133
index usage: 0%, cache usage: 0%
total sessions stored since starting: 0
total sessions expired since starting: 0
total (pre-expiry) sessions scrolled out of the cache: 0
total retrieves since starting: 0 hit, 0 miss
total removes since starting: 0 hit, 0 miss
 
Thus you've got a lot of

Code: 
shared.domain NULL

For now, I know the only possible solution to get rid of them. It is to install nginx or any other light-weight web-server in front of apache (it might be oops, squid, lighttpd, varnish). There are even a paid ready-made plugins on these forums (for nginx). Or you might want to filter them with iptables if it's of course possible.
 
zEitEr said:
Thus you've got a lot of
Code: 
shared.domain NULL
Click to expand...

Could that be a suspicious result of DDOS attack?


I use nginx before with cpanel and its awesome, im really new with DA.
Now im using xcache+memcached with DA, dunno if nginx will conflict with them, will it??? but I really wanted to use nginx again.

I heard Danginx.
 
Hello,

I believe the localhost NULL connections are simply Chrome (or some other new-ish browser) doing normal pre-connections to the server.
Newer browsers make extra connections to the server, in anticipation of making more connections when a client browses the website.
Since the connection itself has some time overhead, the browsers will assume more clicks will be done, so after a page loads, it connects again and idles, on the assumption that another request will be made by the client.
During that idle time, no info has been passed to apache, so everything defaults to NULL (no request yet) and "localhost".. meaning no "Host" header has been passed, thus it defaults to the first VH in the list (stored in /etc/httpd/conf/extra/httpd-vhosts.conf: AKA "ServerName: localhost")
Once the client clicks a link, the existing connection is used to send the request (at which time localhost/NULL will show up as the actual values).
If no click is done, the request will eventually time-out, or the browser will close the connection.

John
 
You must log in or register to reply here.
Back
Top