I have been running a website from a CentOS 5 server for about 1 year. Everything was okay until I noticed weird downtime problems on my server. I just took a look at the System graphs and I saw that the system memory was maxed out then the apache service got offline.
I have been receiving this type of downtimes till now, but I don't really know what could be the problem.
I have some log files, where I have found some weird stuff, but I don't know if it is relevant or not.
When the server is down I get this log at var/log/httpd/ssl_error_log
[Thu Oct 31 *** 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Oct 31 *** 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Oct 31 *** 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Oct 31 *** 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Oct 31 *** 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Oct 31 *** 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Oct 31 *** 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Oct 31 *** 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
I have also noticed that yesterday, my var/log/secure has logged some action from another ip than mine or the server.
Oct 30 *** server1 pure-ftpd: (?@***) [INFO] New connection from ***
Oct 30 *** server1 pure-ftpd: (?@***) [INFO] Anonymous user logged in
Oct 30 *** server1 pure-ftpd: (ftp@***) [ERROR] Can't open that file: Permission denied
Oct 30 *** server1 pure-ftpd: (ftp@***) [ERROR] Can't open that file: Permission denied
Oct 30 *** server1 pure-ftpd: (ftp@***) [INFO] Can't change directory to public: No such file or directory
Oct 30 *** server1 pure-ftpd: (ftp@***) [INFO] Can't change directory to incoming: No such file or directory
Oct 30 *** server1 pure-ftpd: (ftp@***) [INFO] Can't change directory to incoming: No such file or directory
Oct 30 *** server1 pure-ftpd: (ftp@***) [INFO] Can't change directory to _vti_pvt: No such file or directory
Oct 30 *** server1 pure-ftpd: (ftp@***) [INFO] Can't change directory to upload: No such file or directory
Oct 30 *** server1 pure-ftpd: (ftp@***) [INFO] Logout.
This means that someone has hacked into my system?
Can anyone suggest what could be this problem and how can I resolve it? I can post more logs if you require just specify which!
The error log shows the following when the Downtime was occured:
[Thu Oct 31 *** 2013] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Thu Oct 31 *** 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Oct 31 *** 2013] [warn] RSA server certificate wildcard CommonName (CN) `*.lxlabs.com' does NOT match server name!?
[Thu Oct 31 *** 2013] [notice] ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured.
[Thu Oct 31 *** 2013] [notice] ModSecurity: APR compiled version="1.2.7"; loaded version="1.3.12"
[Thu Oct 31 *** 2013] [warn] ModSecurity: Loaded APR do not match with compiled!
[Thu Oct 31 *** 2013] [notice] ModSecurity: PCRE compiled version="6.6 "; loaded version="8.02 2010-03-19"
[Thu Oct 31 *** 2013] [warn] ModSecurity: Loaded PCRE do not match with compiled!
[Thu Oct 31 *** 2013] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Thu Oct 31 *** 2013] [notice] ModSecurity: LIBXML compiled version="2.6.26"
[Thu Oct 31 *** 2013] [notice] Digest: generating secret for digest authentication ...
[Thu Oct 31 *** 2013] [notice] Digest: done
[Thu Oct 31 *** 2013] [warn] RSA server certificate wildcard CommonName (CN) `*.lxlabs.com' does NOT match server name!?
[Thu Oct 31 *** 2013] [notice] Apache/2.2.22 (Unix) DAV/2 PHP/5.2.17 mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
[Thu Oct 31 *** 2013] [notice] caught SIGTERM, shutting down
[Thu Oct 31 *** 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Oct 31 *** 2013] [warn] RSA server certificate wildcard CommonName (CN) `*.lxlabs.com' does NOT match server name!?
[Thu Oct 31 *** 2013] [notice] ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured.
[Thu Oct 31 *** 2013] [notice] ModSecurity: APR compiled version="1.2.7"; loaded version="1.3.12"
[Thu Oct 31 *** 2013] [warn] ModSecurity: Loaded APR do not match with compiled!
[Thu Oct 31 *** 2013] [notice] ModSecurity: PCRE compiled version="6.6 "; loaded version="8.02 2010-03-19"
[Thu Oct 31 *** 2013] [warn] ModSecurity: Loaded PCRE do not match with compiled!
[Thu Oct 31 *** 2013] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Thu Oct 31 *** 2013] [notice] ModSecurity: LIBXML compiled version="2.6.26"
[Thu Oct 31 *** 2013] [notice] Digest: generating secret for digest authentication ...
[Thu Oct 31 *** 2013] [notice] Digest: done
[Thu Oct 31 *** 2013] [warn] RSA server certificate wildcard CommonName (CN) `*.lxlabs.com' does NOT match server name!?
[Thu Oct 31 *** 2013] [notice] Apache/2.2.22 (Unix) DAV/2 PHP/5.2.17 mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
