Apache stürzt öfter ab, Angriff, Patch?

[conrado]

Hallo Forum,

meine Apache schmiert fast jeden bis jeden dritten Tag ab.
Läuft auf einem V-Power-Server von Strato.

Folgendes steht in der error.log:

which: no htpasswd in (//sbin://bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin)
which: no htpasswd in (//sbin://bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin)
which: no htpasswd in (//sbin://bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin)
which: no htpasswd in (//sbin://bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin)
[Fri May 11 20:07:43 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:07:53 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:08:03 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:08:13 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:08:23 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
which: no htpasswd in (//sbin://bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin)
[Fri May 11 20:08:33 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:08:43 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:08:53 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:09:03 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:09:13 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:09:23 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:09:33 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:09:43 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:09:53 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:10:03 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:10:13 2007] [emerg] (12)Cannot allocate memory: couldn't grab the accept mutex
[Fri May 11 20:10:13 2007] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Fri May 11 20:10:23 2007] [alert] Child 32732 returned a Fatal error...\nApache is exiting!
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:23 2007] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Fri May 11 20:10:39 2007] [emerg] (22)Invalid argument: couldn't release the accept mutex
[Fri May 11 23:24:51 2007] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri May 11 23:24:51 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Fri May 11 23:24:51 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Fri May 11 23:24:51 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Fri May 11 23:24:51 2007] [warn] module perl_module is already loaded, skipping
[Fri May 11 23:24:51 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Fri May 11 23:24:51 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
PHP Warning:  Unknown(): Unable to load dynamic library '/usr/lib/php/extensions/pgsql.so' - libpq.so.3: cannot open shared object file: No such file or directory in Unknown on line 0
[Fri May 11 23:24:52 2007] [notice] mod_python: Creating 32 session mutexes based on 150 max processes and 0 max threads.
[Fri May 11 23:24:52 2007] [warn] pid file /var/run/httpd2.pid overwritten -- Unclean shutdown of previous Apache run?
[Fri May 11 23:24:52 2007] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations
which: no htpasswd in (//sbin://bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin)
which: no htpasswd in (//sbin://bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin)
which: no htpasswd in (//sbin://bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin)
which: no htpasswd in (//sbin://bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin)
which: no htpasswd in

davon natürlich einige hundert Einträge mehr, die ich der Übersichtlichkeit halber weggelassen habe.

Was ist das für DoS Attacke, wie kann ich diese abstellen? Ist es vielleicht gar keine Attacke?

Wäre für jede Hilfe dankbar.


Grüße
Conrad

 

[V40]

Hallo,

Cannot allocate memory

Das sagt schon alles aus.
Das bedeutet soviel wie "Arbeitsspeicher voll"

Du könntest mal die Ausgabe von den folgenden Befehlen hier posten, davon könnte man dann etwas ableiten.

ps aux

cat /proc/user_beancounters

 

[conrado]

Ja, der volle RAM ist das Symptom. Aber mir geht's eher um z.B. die htpasswd Einträge. Ich bin ja der Ursache auf der Spur. Mehr RAM kann ich ja nicht reinstecken

root         1  0.0  0.0    604   236 ?        Ss   Apr21   0:03 init [3]
root     28208  0.0  0.0   1456   576 ?        Ss   Apr21   1:10 /sbin/syslogd -
root     28214  0.0  0.0   3984   560 ?        Ss   Apr21   0:00 /usr/sbin/sasla
root     28215  0.0  0.0   3984   244 ?        S    Apr21   0:00 /usr/sbin/sasla
root     28220  0.0  0.1   9112  2352 ?        Ss   Apr21   0:01 /usr/bin/perl /
root     28240  0.0  0.0  22876   744 ?        Ss   Apr21   0:01 /usr/sbin/clamd
root     28255  0.0  0.0   4524   972 ?        Ss   Apr21   0:24 /usr/sbin/sshd
root     28261  0.0  0.0   2080   864 ?        Ss   Apr21   1:16 /usr/sbin/xinet
named    28310  0.0  0.1  36608  2992 ?        Ssl  Apr21   2:24 /usr/sbin/named
root     28325  0.0  0.0   2376   924 ?        S    Apr21   0:00 /bin/sh /usr/bi
mysql    28359  0.1  1.5 119320 24260 ?        Sl   Apr21  47:10 /usr/sbin/mysql
qmails   28364  0.0  0.0   1436   452 ?        S    Apr21   2:25 qmail-send
qmaill   28370  0.0  0.0   1388   444 ?        S    Apr21   0:26 splogger qmail
root     28371  0.0  0.0   1420   356 ?        S    Apr21   0:06 qmail-lspawn ./
qmailr   28372  0.0  0.1   3924  2492 ?        S    Apr21   0:11 qmail-rspawn
qmailq   28373  0.0  0.0   1380   300 ?        S    Apr21   0:05 qmail-clean
root     28466  0.0  0.2  47784  3712 ?        Ss   Apr21   0:01 /usr/local/psa/
root     29973  0.0  1.3  27276 21060 ?        Ss   Apr21   1:10 /usr/sbin/spamd
root     11800  0.0  0.0   1668   628 ?        Ss   Apr24   0:00 /usr/sbin/cron
root     27934  0.0  0.1   9112  1804 ?        S    May06   0:00 /usr/bin/perl /
psaadm   26132  0.0  0.6  49624 10200 ?        S    May10   0:00 /usr/local/psa/
psaadm   26192  0.0  0.7  50992 11276 ?        S    May10   0:00 /usr/local/psa/
psaadm   26366  0.0  0.1  47940  2704 ?        S    May10   0:00 /usr/local/psa/
root     30354  0.0  1.7  30840 26892 ?        S    May11   0:14 spamd child
root      9373  0.0  0.8  29648 13320 ?        Ss   May11   0:00 /usr/sbin/httpd
root      9381  0.0  0.3  28748  5744 ?        S    May11   0:00 /usr/sbin/httpd
wwwrun    9382  0.0  0.8  32044 13064 ?        S    May11   0:14 /usr/sbin/httpd
wwwrun    9384  0.0  0.8  32364 13344 ?        S    May11   0:11 /usr/sbin/httpd
wwwrun    9385  0.0  0.9  33428 14420 ?        S    May11   0:22 /usr/sbin/httpd
wwwrun    9386  0.0  0.8  32680 13636 ?        S    May11   0:18 /usr/sbin/httpd
wwwrun    9391  0.0  0.8  32900 13956 ?        S    May11   0:19 /usr/sbin/httpd
wwwrun    9396  0.0  0.8  32768 13792 ?        S    May11   0:15 /usr/sbin/httpd
wwwrun    9397  0.0  0.9  33240 14256 ?        S    May11   0:19 /usr/sbin/httpd
wwwrun   10133  0.0  0.8  32348 13356 ?        S    May11   0:23 /usr/sbin/httpd
wwwrun   10176  0.0  0.8  32780 13776 ?        S    05:41   0:15 /usr/sbin/httpd
root     14210  0.5  1.9  34176 30388 ?        S    07:05   1:48 spamd child
wwwrun   30490  0.1  0.8  32676 13604 ?        S    10:30   0:13 /usr/sbin/httpd
root     32213  0.3  0.1   7592  2464 ?        Rs   12:55   0:00 sshd: root@pts/
root     32220  2.5  0.1   2836  1768 pts/0    Rs   12:55   0:00 -bash
popuser  32234  0.5  0.0   2604   748 ?        Ss   12:55   0:00 /usr/bin/pop3d
root     32248  0.0  0.0   2380   856 pts/0    R+   12:55   0:00 ps aux

Version: 2.5
       uid  resource           held    maxheld    barrier      limit    failcnt
    788265: kmemsize        4233890    4292896    8512433    9823665   34819876
            lockedpages           0          0       3800       4096          0
            privvmpages       97573      97896     138256     202568       7313
            shmpages           8864       8864     131072     131072          0
            dummy                 0          0          0          0          0
            numproc              53         55        232        232          0
            physpages         38417      38544          0 2147483647          0
            vmguarpages           0          0      66400 2147483647          0
            oomguarpages      50380      50507      66400 2147483647          0
            numtcpsock           24         25        500        500          0
            numflock              7          8        200        232          0
            numpty                1          1         64         64          0
            numsiginfo            0          1        512        512          0
            tcpsndbuf        230872     246524    4683256    6102456          0
            tcprcvbuf        465164     465164    4683256    6102456          0
            othersockbuf      36680      54156    1503232    4063232          0
            dgramrcvbuf           0       2236     240000     262144          0
            numothersock         28         32        382        382          0
            dcachesize            0          0    2194304    2317184          0
            numfile            2301       2372       5432       5432          0
            dummy                 0          0          0          0          0
            dummy                 0          0          0          0          0
            dummy                 0          0          0          0          0
            numiptent            56         56        128        128          0

Das ist jetzt im Normalbetrieb, wenn wieder so eine Attacke kommt sieht es sicher anders aus.

 

[V40]

Hallo,

wenn man eine Logdatei postet (oder einen solchen Auszug) sollte man schon darauf achten das es sich nur um die Fragestellung handelt.

Nun aber zu dem nächsten Problem.

Der Befehl which wird genutzt um Programme zu finden.
Mich irritiert es doch stark das in deinem Apache error.log der Aufruf von which protokolliert wird.

Das mach auf mich den Eindruck als hättest du ein Script auf deinem Server das da nicht hingehört.
ABER ich bin mir gerade nicht 100%ig sicher!

Zu dem Arbeitsspeicher, also du hast ein ganz gravierendes Problem.
In dem Auszug von "ps aux" ist allerdings nichts zu sehen was das Problem verursacht.

Hast du auf dem Server manchmal auch Dienste (Gameserver, Teamspeak, etc) laufen die jetzt gerade nicht laufen?


Edit:
Schau mal in dem access.log nach, ob zu dem selben Zeitpunkt Zugriffe erfolgt sind auf deine Webseiten.
Wenn ja dann poste die Einträge mal.
Vielleich kann man da etwas erkennen.

 

[conrado]

Abgesehen von den üblichen Sachen läuft ganz selten mal ein Gameserver (vielleicht 5 Stunden im Monat). Aber nie zu den Zeiten der Abstürze. Diese "which"-Aufrufe in der error.log sind ja einige hundert Zeilen groß. Ein Script hab ich in keinem Webaccount gefunden, der das auslösen könnte.

Edit:
Ja es gab zu der Zeit Zugriffe auf verschiedene Seiten, aber in keinem extremen Rahmen und es wurden keine Scripte ausgeführt.