Re: Apache webserver outage - need help with forensics

From: Nigel Wade (nmw_at_ion.le.ac.uk)
Date: 04/14/05

  • Next message: Nigel Wade: "Re: Acrobat 7 Problem" 
    Date: Thu, 14 Apr 2005 10:27:58 +0100
To: For users of Fedora Core releases <fedora-list@redhat.com>

    Bob Brennan wrote:
    > I have a server which went completely unresponsive today on port 80
    > for 20 minutes and would appreciate any pointers as to what might have
    > happened.
    >
    > A bit of background:
    > * FC3, Up2Date
    > * The Apache webserver serves a dozen virtual websites
    > * Sendmail + Dovecot + Squirrelmail for all sites
    > * Spamassasin recently activated (yesterday)
    >
    > The problem + observations:
    > * All websites were inaccessible from 14:00 gmt to 14:20 today
    > * The mailserver was running and responsive during that time
    > * FTP was running and responsive during that time
    > * telnet theServer.com 80 timed out with no connection during that time
    >
    > What I checked:
    > * all access_log and error_log for all sites - showed 5 users using
    > the sites at the time but nothing unusual
    > * no evidence of a DOS attack (that I could see)
    > * no records of anything unusual in system logs
    > * no accesses or errors in any of the http logs during that time
    >
    > Thankfully the webserver came back as if by magic after 20 minutes and
    > was immediately responsive.
    >
    > Any insights into anything else I can check? Needless to say an
    > embarassing incident for a webmaster who whould like to prevent it
    > happening again.
    >
    > Thanks in advance,
    > bob
    >

    Maybe either a deliberate or unintentional DoS attack.

    How many clients is your server configured to handle simultaneously? Maybe
    there was a problem, or some deliberate attack, which meant the established
    clients communications stuck and no new client connections could be accepted.

    Did you have netstat output to show what connections were established to
    port 80 at the time? 

    -- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw@ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Nigel Wade: "Re: Acrobat 7 Problem"

    Relevant Pages

    • RE: Printing from Win9x clients stops
      ... > and make sure this software does not interfere with SBS Server. ... > clients, please disable it and try again. ... Create a local printer and redirect the port to the network server. ...
      (microsoft.public.windows.server.sbs)
    • RE: Web Services or Sockets?
      ... different companies with addresses from a DHCP server. ... it listen to a port on the client computer? ... I don't know how these two examples with clients over the internet. ... >> If the client is listening to a port, but is sitting behind a firewall, how ...
      (microsoft.public.dotnet.distributed_apps)
    • Re: Barcode Scanner on Client Com port
      ... I cannot find a Com port setting on my CE .NET device although it has one ... >>Win32 application very happily on a Windows 2003 Server. ... >> the Clients. ... >> physically attached to Com1 on the server. ...
      (microsoft.public.windows.terminal_services)
    • Re: Disable Internet surfing
      ... Iit sounds like you probably don't have a server, ... group policies, you really can't prevent 9x clients from doing many things. ... just allow all ports and only block port 80. ...
      (microsoft.public.win2000.security)
    • Re: Apache webserver outage - need help with forensics
      ... On Wednesday 13 April 2005 10:45, Bob Brennan wrote: ... > I have a server which went completely unresponsive today on port ... take a look at your mail logs around that ...
      (Fedora)