httpd PID and finding the linked web site
in [FreeBSD]
|
Prev: NYC LOCAL: Tuesday 8 June 2010 Lisp NYC Meet and NYLUG Hack Meet
Next: fatal trap 12 page fault while in kernel mode
From: KnowledgeSeaker on 8 Jun 2010 10:21 Hello, I would like to be able to identify the web site (httpd acces log) or user that is using a specific PID when using top. I suspect an attack or unusual traffic on a web site that uses a lot of CPU... There are several PID but no way to find out wich web site it is... Thanks for any pointers! -- MAP
From: Rob Warnock on 8 Jun 2010 20:39 KnowledgeSeaker <marco.a.paquin(a)gmail.com> wrote: +--------------- | I would like to be able to identify the web site (httpd acces log) or | user that is using a specific PID when using top. | | I suspect an attack or unusual traffic on a web site that uses a lot | of CPU... There are several PID but no way to find out wich web site | it is... +--------------- Try "sockstat(1)". That is, use "top" or "ps" to find the PID that's consuming too much time, then "sockstat" to find the remotes address(es) associated with that PID, then "host" or "dig" to convert the remote IP address(es) to domain names, then WHOIS to find out who owns it. [Caveat: This will only work, of course, if the remote site remains connected while the local web server process is chewing CPU.] -Rob ----- Rob Warnock <rpw3(a)rpw3.org> 627 26th Avenue <URL:http://rpw3.org/> San Mateo, CA 94403 (650)572-2607
From: Cydrome Leader on 11 Jun 2010 15:31
KnowledgeSeaker <marco.a.paquin(a)gmail.com> wrote: > Hello, > > I would like to be able to identify the web site (httpd acces log) or > user that is using a specific PID when using top. > > I suspect an attack or unusual traffic on a web site that uses a lot > of CPU... There are several PID but no way to find out wich web site > it is... > > Thanks for any pointers! > -- > MAP enabling server-status in httpd.conf will let you check the scoreboard. it will list the site being served and associated pids. |