[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] urgent question
- Subject: RE: [cobalt-security] urgent question
- From: "Peter Baldwin" <peterj@xxxxxxxxxxxxxx>
- Date: Tue, 18 Sep 2001 21:19:34 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> usage. I ran "top" and there it was 4-5 httpd ps (/usr/sbin/httpd -f
> /etc/httpd/conf/httpd.confthat) where using all cpu, and some of them had
> been running for 3-4h.
Sounds like something went loopy - this could be a bad CGI script or a
database problem. If you are developing Tomcat/JSP, this can occur on a
regular basis.
> Looking around in files and folders i found in /var/log/httpd/ a
> LARGE error
> file:
>
> -rw-r--r-- 1 root root 2147 483 647 Sep 18 21:06 error (almost
> 2000 mb?)
Woah! Not even that new worm could create such a large file so quickly. Is
it being rotated? Do a "tail -n 500 error" to see the last 500 lines. Do a
"head error" to see when the file was created (RaQs don't have the handy
"stat" command). Is it being log-rotated properly? Is someone trying some
kind of denial of service attack? You are going to see a *lot* hit attempts
from the new worm in this file, but again... I don't think it's the primary
cause.
Pete.
__________________________________________________
Vito - Cobalt Server Appliance Monitor and Manager
http://vito.pointclark.net