Dan apache just crashed around 12:32am. I ran the diagnostics again this time and here is what was reported.
[root@server ~]# ps aux |grep httpd
apache 1090 0.0 0.0 389160 7852 ? S Jun23 0:30 /usr/sbin/httpd -DSSL
root 2628 0.0 0.0 84000 2836 ? Ss Jun22 0:00 /home/interworx /bin/iworx-web -f /home/interworx/etc/httpd/httpd.conf -DSSL
apache 3172 0.0 0.0 389160 7808 ? S Jun23 0:30 /usr/sbin/httpd -DSSL
apache 4846 0.0 0.0 389136 7848 ? S Jun23 0:30 /usr/sbin/httpd -DSSL
root 31222 0.0 0.0 61216 776 pts/0 S+ 01:41 0:00 grep httpd
251 32590 0.0 0.0 84224 2892 ? S Jun23 0:00 /home/interworx /bin/iworx-web -f /home/interworx/etc/httpd/httpd.conf -DSSL
251 32621 0.0 0.0 84224 2892 ? S Jun23 0:00 /home/interworx /bin/iworx-web -f /home/interworx/etc/httpd/httpd.conf -DSSL
[root@server ~]#
[root@server ~]# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:2306 0.0.0.0:* LISTEN 2626/iworx-db
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2851/mysqld
tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 2763/clamd
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 2878/spamd -d -q -x
tcp 0 0 172.16.53.66:53 0.0.0.0:* LISTEN 3138/tcpserver
tcp 0 0 173.231.136.106:53 0.0.0.0:* LISTEN 3141/tcpserver
tcp 0 0 :::2080 :::* LISTEN 2628/iworx-web
tcp 0 0 :::993 :::* LISTEN 3149/tcpserver
tcp 0 0 :::995 :::* LISTEN 3143/tcpserver
tcp 0 0 :::2443 :::* LISTEN 2628/iworx-web
tcp 0 0 :::110 :::* LISTEN 3144/tcpserver
tcp 0 0 :::143 :::* LISTEN 3151/tcpserver
tcp 0 0 :::80 :::* LISTEN 1090/httpd
tcp 0 0 ::ffff:127.0.0.1:53 :::* LISTEN 3133/dnscache
tcp 0 0 :::21 :::* LISTEN 2935/proftpd: (acce
tcp 0 0 :::22 :::* LISTEN 2740/sshd
tcp 0 0 :::25 :::* LISTEN 3153/tcpserver
tcp 0 0 :::443 :::* LISTEN 1090/httpd
udp 0 0 172.16.53.66:123 0.0.0.0:* 2754/ntpd
udp 0 0 173.231.136.106:123 0.0.0.0:* 2754/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2754/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2754/ntpd
udp 0 0 ::ffff:127.0.0.1:53 :::* 3133/dnscache
udp 0 0 ::ffff:172.16.53.66:53 :::* 3134/tinydns
udp 0 0 ::ffff:173.231.136.106:53 :::* 3137/tinydns
udp 0 0 fe80::225:90ff:fe35:123 :::* 2754/ntpd
udp 0 0 fe80::225:90ff:fe35:123 :::* 2754/ntpd
udp 0 0 ::1:123 :::* 2754/ntpd
udp 0 0 :::123 :::* 2754/ntpd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 6123 2851/mysqld /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 5339 2580/dbus-daemon /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 4966 2336/iscsid @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 6504 2993/hald @/var/run/hald/dbus-cejszPoYHl
unix 2 [ ACC ] STREAM LISTENING 5774 2688/acpid /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 9006 3216/gam_server @/tmp/fam-root-
unix 2 [ ACC ] STREAM LISTENING 5521 2626/iworx-db /home/interworx/var/run/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 4948 2329/brcm_iscsiuio @ISCSID_UIP_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 6503 2993/hald @/var/run/hald/dbus-UWzM77wHQn
unix 2 [ ACC ] STREAM LISTENING 6269 2891/gpm /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 6440 2963/xfs /tmp/.font-unix/fs7100
[root@server ~]#
I was able to go into https://exampledomain.com:2443/siteworx/ after the crash. Does interworx run seperate from apache? I guess that would explain why these (in bold) processes are still running after apache crashes if so:
[root@server ~]# ps aux |grep httpd
apache 1090 0.0 0.0 389160 7852 ? S Jun23 0:30 /usr/sbin/httpd -DSSL
root 2628 0.0 0.0 84000 2836 ? Ss Jun22 0:00 /home/interworx /bin/iworx-web -f /home/interworx/etc/httpd/httpd.conf -DSSL
apache 3172 0.0 0.0 389160 7808 ? S Jun23 0:30 /usr/sbin/httpd -DSSL
apache 4846 0.0 0.0 389136 7848 ? S Jun23 0:30 /usr/sbin/httpd -DSSL
root 31222 0.0 0.0 61216 776 pts/0 S+ 01:41 0:00 grep httpd
251 32590 0.0 0.0 84224 2892 ? S Jun23 0:00 /home/interworx /bin/iworx-web -f /home/interworx/etc/httpd/httpd.conf -DSSL
251 32621 0.0 0.0 84224 2892 ? S Jun23 0:00 /home/interworx /bin/iworx-web -f /home/interworx/etc/httpd/httpd.conf -DSSL
[root@server ~]#
So how do I look more into the apache “1090”, “3172”, and “4846” processes? Is there a command to give me more information about them? According to netstat, it seems the 1090 process is the one sitting on port 80 right?
On to the logs, I’ll copy the results of tail here. Please let me know if you see anything fishy:
[root@server linux_workspace]# tail access_log
127.0.0.1 - - [24/Jun/2011:00:46:03 -0400] “GET /watch-flush HTTP/1.0” 200 3
127.0.0.1 - - [24/Jun/2011:00:51:04 -0400] “GET /watch-flush HTTP/1.0” 200 3
127.0.0.1 - - [24/Jun/2011:00:56:03 -0400] “GET /watch-flush HTTP/1.0” 200 3
127.0.0.1 - - [24/Jun/2011:01:01:02 -0400] “GET /watch-flush HTTP/1.0” 200 3
127.0.0.1 - - [24/Jun/2011:01:06:03 -0400] “GET /watch-flush HTTP/1.0” 200 3
127.0.0.1 - - [24/Jun/2011:01:11:02 -0400] “GET /watch-flush HTTP/1.0” 200 3
127.0.0.1 - - [24/Jun/2011:01:16:03 -0400] “GET /watch-flush HTTP/1.0” 200 3
127.0.0.1 - - [24/Jun/2011:01:21:03 -0400] “GET /watch-flush HTTP/1.0” 200 3
127.0.0.1 - - [24/Jun/2011:01:26:03 -0400] “GET /watch-flush HTTP/1.0” 200 3
127.0.0.1 - - [24/Jun/2011:01:31:03 -0400] “GET /watch-flush HTTP/1.0” 200 3
[root@server linux_workspace]# tail error_log
[Wed Jun 22 22:29:57 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 22 22:29:57 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jun 22 22:29:57 2011] [warn] RSA server certificate CommonName (CN) server.mydomain.com' does NOT match server name!? [Wed Jun 22 22:29:58 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 22 22:29:58 2011] [warn] RSA server certificate CommonName (CN)
server.mydomain.com’ does NOT match server name!?
[Wed Jun 22 22:29:58 2011] [notice] Apache/2.2.17 (Unix) DAV/2 PHP/5.3.3 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_watch/4.3 configured – resuming normal operations
[Thu Jun 23 22:52:43 2011] [error] [client 81.218.234.8] File does not exist: /var/www/htdocs/admin
[Fri Jun 24 01:34:57 2011] [warn] child process 1090 still did not exit, sending a SIGTERM
[Fri Jun 24 01:34:57 2011] [warn] child process 4846 still did not exit, sending a SIGTERM
[Fri Jun 24 01:34:57 2011] [warn] child process 3172 still did not exit, sending a SIGTERM
[root@server linux_workspace]# tail messages
Jun 24 00:47:01 server clamd[2763]: SelfCheck: Database status OK.
Jun 24 00:57:01 server clamd[2763]: SelfCheck: Database status OK.
Jun 24 01:02:46 server proftpd[30733]: 127.0.1.1 (::ffff:88.74.204.155[::ffff:88.74.204.155]) - FTP session opened.
Jun 24 01:02:46 server proftpd[30733]: 127.0.1.1 (::ffff:88.74.204.155[::ffff:88.74.204.155]) - FTP session closed.
Jun 24 01:07:01 server clamd[2763]: SelfCheck: Database status OK.
Jun 24 01:17:01 server clamd[2763]: SelfCheck: Database status OK.
Jun 24 01:27:01 server clamd[2763]: SelfCheck: Database status OK.
Jun 24 01:37:01 server clamd[2763]: SelfCheck: Database status OK.
Jun 24 01:41:39 server clamd[2763]: Reading databases from /var/lib/clamav
Jun 24 01:41:42 server clamd[2763]: Database correctly reloaded (975772 signatures)
This seems interesting, my clamd is recently out of date. Do you think the crash is being caused by clamd trying to update itself or something now that it is out of date???
Thanks for you help Dan (& Robert too if you’re still there!).
Thanks,
William