apache die and not restart

Some tiems apache die and when try restart recive thsi error:

(98)Address already in use: make_sock: could not bind to address [::]:443
no listening sockets available, shutting down
Unable to open logs

Only reboting apache back

Some idea how fix this? or why cant start apache?

The only way I know to fix this is to kill appache

service httpd killall

Then remove the httpd lock file:

rm /var/lock/subsys/httpd (CentOS)

or

rm /var/lock/httpd (RedHat 9)

(Not sure which Fedora has.)

The start apache

service httpd start

This “should” fix your problem.

your solution not work:

1 service httpd killall

that no exist, i think you want say

killall -9 httpd

2 rm /var/lock/subsys/httpd

httpd file no exist in my case, this no is a lock trouble.

My trouble continue ; (

I would bet that the box is suffering from a hack. Do a:

netstat -lnp

And see what is running on port 443. I would bet that it’s not apache. You need to kill the process using 443 and then investigate how they got in and close the hole. The hole is usually an outdated web app (phpbb, phpnuke etc).

Chris

This usually happens when an a worm, usually a php based one that gets in via an old version of phpBB, or postnuke, or some script like that.

First I’d run this command to see what process is hanging onto port 443 and preventing the restart from working:

netstat -lnp | grep 443

the PID of the process will be listed there, and you can kill it directly

kill -9 <pid here>

You may have to repeat this a couple times if there are multiple processes.

Once you get apache back up, you need to figure out where the worm/hacker is getting in. This can be difficult, but the places to look for evidence of the worm or hacker are

/tmp/
/var/tmp/
/dev/shm/ (look for strange files or directories in these directories)
/var/log/httpd/error_log (sometimes you’ll see output of “wget” in here)

and finally the transfer logs for the sites, which are in /home//var//logs/transfer.log files

Paul

Ok investigating now and back with more news soon.

tcp 0 0 :::2443 :::* LISTEN 2288/iworx-web
tcp 0 0 :::443 :::* LISTEN 20369/bind

Sopme idea what is that bind?

I kill that bind process and the see this:

tcp 0 0 :::2443 :::* LISTEN 2288/iworx-web
tcp 0 0 :::443 :::* LISTEN 21077/eggdrop

??? Some help please !

weel finally fixed, the intrusion its killed ! : )

Other processes running on port 443 cause httpd to fail

Has anyone figured this one out?

Occasionally the HTTPD service will fail and won’t restart itself.

Doing a netstat -lnp | grep 443

shows a process of sendmail (or eggdrop a couple times) running on that port. Killing the process allows me to start httpd again.

Does anyone know what may cause this? Or how to prevent it from happening again?

eggdrop is a hack running on the box, more than likely.

You’ll need to follow some of Pauls instructions above to try and clean the box up and review the security on the box.