Advice for finding a leaky Apache (probably PHP) process

[Joe Auty]

Adam Vande More wrote:
> On Sat, Apr 24, 2010 at 8:02 PM, Joe Auty <joe at netmusician.org
> <mailto:joe at netmusician.org>> wrote:
>
>     Hello,
>
>     I'm wondering if you guys have any general tips on how to find the
>     Apache process/app that is gobbling up my RAM randomly until my
>     machine
>     crashes and I'm forced to reboot? I'm tired of staring at top and
>     working with flimsy hacks such as 10 minute Apache restart cronjobs.
>
>     This seems to start (or worsen) after updating to PHP 5.3, but this is
>     not happening on my test machine where PHP 5.3 is also installed
>     and the
>     same apps are used (although not publicly).
>
>     General tips and suggestions are welcome here!
>
>     THanks in advance...
>
>
> Have you tried working with php's mem limit abilities?  The base
> system provides procstat for tracking invidual process info.  You
> could try something like appending ps aux > file every minute or so to
> track growth etc.  Can you provide more info about the php app?
>
> -- 
> Adam Vande More

Well, I'm fishing. It is also possible that I'm seeing a denial of
service attack or something, but the result is my Apache processes
ballooning and CPU usage for some of my httpd processes going up to
around 100%. There are several PHP apps running on the server, so it is
very hard to pinpoint things to one app, which is part of the problem.

I can actually see the memory growth, I can sit and watch top and see my
memory consumption balloon until the machine swaps and then just grinds
to a halt. Sometimes it gets so bad that I'm forced to killall -9 httpd
just to bring the machine back to life.

What are some good techniques for trying to ascertain whether a
particular web app is being exploited for some sort of attack? Since I
had to recompile PHP and all of my PHP extensions is there a possibility
that a particular extension is causing memory consumption to balloon? A
long time ago I had an attack on a very old version of WordPress. I
found this via my Apache server-status page, but it was sort of a pure
fluke that I did find this. Surely there has to be better ways to
connect httpd processes to pages that are being served?

I wish that the machine was a little more responsive when I get to this
point so that I can ktrace the processes...

Thanks for your help!



-- 
Joe Auty, NetMusician
NetMusician helps musicians, bands and artists create beautiful,
professional, custom designed, career-essential websites that are easy
to maintain and to integrate with popular social networks.
www.netmusician.org <http://www.netmusician.org>
joe at netmusician.org <mailto:joe at netmusician.org>