Topic: Access Log! need help

[nef kho]

hi,

i need help, i get this access log:

[Fri Apr  4 09:50:31 2003] [error] [client 210.125.151.233] File does not exist: /home/e-smith/files/primary/html/default.ida
[Fri Apr  4 09:58:22 2003] [error] [client 210.17.139.99] File does not exist: /home/e-smith/files/primary/html/default.ida
[Fri Apr  4 10:39:57 2003] [error] [client 210.108.45.111] File does not exist: /home/e-smith/files/primary/html/default.ida
[Fri Apr  4 10:41:46 2003] [error] [client 210.23.226.226] File does not exist: /home/e-smith/files/primary/html/default.ida
[Fri Apr  4 11:19:44 2003] [error] [client 210.183.85.154] File does not exist: /home/e-smith/files/primary/html/default.ida
[Fri Apr  4 12:27:09 2003] [error] [client 210.182.175.153] File does not exist: /home/e-smith/files/primary/html/default.ida
[Fri Apr  4 13:30:38 2003] [error] [client 210.23.102.5] File does not exist: /home/e-smith/files/primary/html/default.ida
[Fri Apr  4 13:39:45 2003] [error] [client 210.23.226.226] File does not exist: /home/e-smith/files/primary/html/default.ida
[Fri Apr  4 13:48:45 2003] [error] [client 210.106.240.135] File does not exist: /home/e-smith/files/primary/html/default.ida
[Fri Apr  4 14:11:54 2003] [error] [client 210.23.226.226] File does not exist: /home/e-smith/files/primary/html/default.ida
[Fri Apr  4 14:47:11 2003] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Fri Apr  4 14:52:34 2003] [notice] child pid 28296 exit signal Segmentation fault (11)
[Fri Apr  4 14:57:23 2003] [notice] child pid 28358 exit signal Segmentation fault (11)
[Fri Apr  4 14:59:50 2003] [error] (32)Broken pipe: accept: (client socket)
[Fri Apr  4 15:07:19 2003] [notice] Apache/1.3.12 (Unix)  (Red Hat/Linux) PHP/4.0.3pl1 configured -- resuming normal operations
[Fri Apr  4 15:19:43 2003] [notice] Apache/1.3.12 (Unix)  (Red Hat/Linux) PHP/4.0.3pl1 configured -- resuming normal operations
[Fri Apr  4 15:38:25 2003] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Fri Apr  4 15:43:13 2003] [notice] Apache/1.3.12 (Unix)  (Red Hat/Linux) PHP/4.0.3pl1 configured -- resuming normal operations
[Fri Apr  4 16:16:08 2003] [notice] Apache/1.3.12 (Unix)  (Red Hat/Linux) PHP/4.0.3pl1 configured -- resuming normal operations


: after a few minutes of getting connected my e-smith just hangup, cant get in anymore, does anyone know what the log means?

tia

nef kho

[Jochen Hoegerl]

I think it is a Code Red or Nimda worm, not sure which one but it is a IIS-Webserver Exploit

jochen

[Jon Blakely]

Nef,

As Jochen has already mentioned the first part of the log

[Fri Apr 4 09:50:31 2003] [error] [client 210.125.151.233] File does not exist: /home/e-smith/files/primary/html/default.ida

is code-red worm. It is totally harmless to linux servers.

The second part where you are reaching MaxClient settings and having Apache close down is, I suspect, due to a looping reference in your "error 400 message page". Every time you get a code red hit it will create an error 400 message which is looping creating another http process, which is looping creating another http process, and so on until you reach the MaxClient limits.

Have you modified or added your own error pages by any chance

Jon

[nef kho]

thanks,
i did modify my error message, should i modify my error message to bypass the code-red or just modufy it to its normal setup?

tia

nef kho