From owner-freebsd-questions  Mon Dec  2 19:40:55 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4263637B401
	for <freebsd-questions@freebsd.org>; Mon,  2 Dec 2002 19:40:54 -0800 (PST)
Received: from sub21-156.member.dsl-only.net (sub21-156.member.dsl-only.net [63.105.21.156])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B9C5743EC2
	for <freebsd-questions@freebsd.org>; Mon,  2 Dec 2002 19:40:53 -0800 (PST)
	(envelope-from nkinkade@sub21-156.member.dsl-only.net)
Received: from nkinkade by sub21-156.member.dsl-only.net with local (Exim 4.10)
	id 18J3vZ-0001KX-00
	for freebsd-questions@freebsd.org; Mon, 02 Dec 2002 19:40:53 -0800
Date: Mon, 2 Dec 2002 19:40:53 -0800
From: Nathan Kinkade <nkinkade@dsl-only.net>
To: FreeBSD-questions <freebsd-questions@freebsd.org>
Subject: Re: Strange WWW problem
Message-ID: <20021203034053.GM467@sub21-156.member.dsl-only.net>
Reply-To: nkinkade@dsl-only.net
Mail-Followup-To: FreeBSD-questions <freebsd-questions@freebsd.org>
References: <Pine.BSF.4.21.0212020029560.45207-100000@heorot.1nova.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.21.0212020029560.45207-100000@heorot.1nova.com>
User-Agent: Mutt/1.4i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, Dec 02, 2002 at 12:37:48AM -0800, Rick Hamell wrote:
> 
> For the last two weeks or so, my web server has stopped processing
> requests after about 5:30pm or so until about 9:30 or later. I've checked
> the logs and thought that the Nimbda virus was bogging my server down,
> this was after I increased my MaxServers in http.conf from 10 to 20. Even
> then I had 13 httpd processes running.
> 
> The weird part is that there will be periods of time when I can access any
> of my web sites just fine for about 5 minutes or so before I start getting
> "The page Could not be found" errors in IE. Nothing has changed recently
> in the configuration, so I tend to lean towards being DOS'ed, either via
> Nimbda or...? I'm seeing the attempts in my log, but right at this moment
> I'm not seeing any new ones, only have 5 http process's active.. and still
> can't access any of my domains via WWW.
> 
> Anyone have any ideals?
> 
> Rick

Are you saying that your httpd access log shows the hit and that the
document was served, yet the client is getting 404 (or some such)
errors?  If so, have you tried launching `ethereal` (or your favorite
protocol analyzer) to see exactly what is going on at all levels?  If
nothing is apparent in the error logs, access logs, messages, or other
likely places then a thorough look at the actual transaction between the
client and server might not be out of place.  I realize that this isn't
an answer, but it seems like the logical next-step.

Nathan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message