Home / server / Questions / 193681
In Process
NoodleX
Asked: 2010-10-22 17:45:24 +0800 CST

Apache mod status is showing ..reading

  • 772

Recently my apache got DoS attack, it happened attacker flood SYN request to our apache, i know because at that time i have wireshark enabled.

After the attack finished, i restart my apache and its all back to run normal. But the problem when i check my serverstatus from mod-status there are some threads are showing 

> 0-92 61968 0/0/674 R 1125 0 0.0 0.00 22.93 ? ? ..reading..
> 0-92 61968 0/0/29 R 537889 0 0.0 0.00 0.01 ? ? ..reading..
> 0-92 61968 0/0/852 R 1158 15 0.0 0.00 15.05 ? ? ..reading..
> 0-92 61968 0/0/2 R 537933 578 0.0 0.00 0.02 ? ? ..reading..
> 0-92 61968 0/0/3 R 537933 0 0.0 0.00 0.02 ? ? ..reading..
> 0-92 61968 0/0/1 R 538060 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/2 R 538060 0 0.0 0.00 0.01 ? ? ..reading..
> 0-92 61968 0/0/71 R 538146 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/31 R 538146 0 0.0 0.00 0.01 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 R 1287665833 0 0.0 0.00 0.00 ? ? ..reading..
> 0-92 61968 0/0/0 K 1287665833 0 0.0 0.00 0.00

these ..reading.. are always showing even after i restart. Do you have any idea how to remove this ? and where it comes from ?

apache-2.2 denial-of-service

3 Answers

  1. To verify if you're still being attacked:

    1. Log on your server as root

    2. Type the following command

      netstat -plan | grep :80 | awk {'print $5′} | cut -d: -f 1 | sort | uniq -c | sort -n

      You will see a list of IP’s with the number of connections each once has to your server.

    3. If any IPs have more than 100 connections then there is a chance that this is your attacker. Go ahead and block this IP using APF if you have it installed or CSF.

      apf -d IP

      or

      csf -d IP
    • 1

  2. I've recently seen some on these in my apache-status too. Looks like they automatically go away for me. I'm looking for an explanation as well.

    About these processes not going away after restart, you could try to stop apache then:

    killall -KILL httpd

    Then restart it. They are probably zombie processes that apache can't kill by itself when restarting.

    • 0

  3. I know that kind of attacks are almost impossible to prevent from happening, but just making sure: have you fine-tuned Apache TimeOut value at all, or is it set to default value (300 seconds, I think)? If it's the default 300 seconds, you may safely change it to some significantly lower value, say 15 or 30 seconds.

    • 0