Apache under attack and eating resources?

Philip Paeps philip+freebsd at paeps.cx
Mon Sep 29 00:05:44 PDT 2003 

On 2003-09-29 08:35:20 (+0200), Devon H. O'Dell <dodell at sitetronics.com> wrote:
> > I forgot to mention I was running mod_php4 from the ports.  I don't think
> > any scripts changed in the last few weeks, but I'll have a look into it.
> > Any idea what kind of script bugs could cause PHP to tear things down like
> > this, other than the classic loop from hell?
>
> PHP does a pretty good job from protecting against this. 

That's what I thought too, and I've never had this sort of issues before even
on development systems where wasteful and dangerous coding is a rule rather
than an exception.

> Installing mod_php4 from ports will also turn on the --enable-memory-limit
> switch, which causes PHP to terminate if more than x MB RAM are taken (this
> shouldn't segfault Apache). 

In case I was misinterpreted: it's only a child or a number of children which
segfault, not the parent process.  Grepping the massive logfile some more,
shows that it's not always a segfault either.  Last night, one child also died
with an 'abort trap' and two days ago there was a 'bus error'.  Curiouser and
curiouser...

> The "classic loop from hell" should also be undoable, since PHP has a 60
> second execution time limit. 

I set it slightly higher for some scripts (none of which run at the times
Apache goes nuts).  I've stresstested those like a madman though, and they
just won't damage anything.

> You might want to run your httpd process in gdb to see what's going on when
> stuff segfaults. If this is indeed a problem with PHP, I'm sure the
> developers would like to hear about it ASAP!

I'll look into that, thanks.  Problem is that it's a production server and
debugging symbols and debuggers might be a bit of a hard sell.  I'll see what
I can do though.

First there's finding out if it's really PHP causing problems and not
something like the phase of the moon or the relative proximities of Mars and
Venus to the Earth...

Thanks!

 - Philip

-- 
Philip Paeps                                          Please don't CC me, I am
                                                       subscribed to the list.

  History repeats itself.
  that's one of the things wrong with history.

More information about the freebsd-security mailing list