Over the weekend we had several servers that all experienced the same symptoms (details below). I've gone through the CVE, bugtraq, etc archives and haven't found anything that matches either our versions or the symptoms. Symptoms: - Server exhibits small jump in number of processes in queue and utilization levels (possible probing attack?). At this point the server still appears to be functioning correctly. - A couple hours later the server utilization goes to ~100% with thousands of processes in the run queue and over the next ~1 hour runs out of memory and stops answers any type of request (HTTP, SSH, SMTP, console, etc). - At some point during this progression the contents of the HTTPD root folder, /var/log (on some), and /var/lib/mysql (on some) are copied to /root/2/. On at least some of the servers the system clock also got seriously skewed. - Restarting the server clears the symptoms up and no additional processes start and/or are listening on the network (I'm still in process of verifying that executables weren't replaced). System details: - OpenSuSE 10.2 - Kernel 2.6.18.2-34-default - Apache 2.2.3-20 - Apache prefork 2.2.3-20 - Mod_PHP5 5.2.0-10 (some) - Mod_PHP5 5.1.4-5 (some) Is this an issue anyone has seen before? Thanks, Chris --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|