[nycbug-talk] Odd behavior on FreeBSD 6.3 box

Michael Hernandez mhernandez at techally.com
Wed Feb 4 09:50:43 EST 2009 

On Jan 30, 2009, at 1:08 AM, Matt Juszczak wrote:

> I have a simple webserver/mysql box that usually works fine.  But  
> tonight,
> I was seeing load averages in the 80's and 90's, incredibly high I/O  
> wait,
> and perl in the top of the processlist using 80-90% of CPU.  Seemed  
> to be
> spamassassin related, but I also had a ton of apache processes  
> running.
>
> I'm still looking to see if perhaps a website was being hammered,  
> but in
> the meantime I noticed that I was getting this repeatedly (about  
> once a
> second) in my http-access log:
>
> ::1 - - [30/Jan/2009:05:52:23 +0000] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.7e-p1 DAV/2 PHP/ 
> 5.2.6
> with Suhosin-Patch mod_perl/2.0.4 Perl/v5.8.8 (internal dummy  
> connection)"
>
>
> Does anyone know what that is (other than the fact that its a loopback
> dummy connection)?  It seems to have stopped since I restarted  
> postfix and
> apache.
>
> Thanks for any thoughts...

Have you checked your logs to see if you're getting hit by a flood of  
spam attempts? I had a postfix machine here with spam assassin and  
from time to time the load avgs would spike, then when i looked at the  
logs I'd see 5-10 connections per second of people trying to use my  
server as an open relay. If spam assassin is configured to start  
whenever something hits the incoming mail server, it might spawn tons  
of processes. Also, from time to time I've gotten lots of bogus  
requests to my HTTP daemon, from people who were attempting to use it  
as a proxy. WIth all of that, and the never ending flood of SSH brute  
force attempts (that will never work... ;) there's an awful lot of  
things that could cause unusual load.

If restarting postfix seems to curb the problem for a while, it could  
be that people (read: probably some root-kitted linux box, etc) are  
trying really hard to send spam from your machine. Even if it's  
configured not to relay mail, that won't stop people from trying, some  
bot nets try harder than others...

Good luck!

--Mike H

More information about the talk mailing list