LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 04-07-2010, 03:45 PM   #1
TravisP
LQ Newbie
 
Registered: Apr 2010
Posts: 3

Rep: Reputation: 0
HTTPD error_log filled with sh: /env: No such file or directory


I have a dedicated server with 1&1 running CentOS 5 and Plesk 9.

I've been trying to hunt down an issue wherein my server hangs every 4-5 days (and finding that I'm certainly not the first person to have that issue with 1&1).

In my investigations, however, I'm seeing that my Apache error log is constantly logging the following error:

sh: /env: No such file or directory

Google searches turn up nothing specific to that error. Any ideas where I should look for the cause?

Thanks!
 
Old 04-07-2010, 04:10 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by TravisP View Post
I'm seeing that my Apache error log is constantly logging the following error:
sh: /env: No such file or directory
Post us a few exact lines from your access_log? Any other errors? And do consider running Logwatch on your logs. Most cracker activity is preceded by recon (not that I'm saying this is evidence of that w/o seeing any log lines). Logwatch helps you keep tabs on errors, odd requests and more.
 
Old 04-08-2010, 08:24 AM   #3
TravisP
LQ Newbie
 
Registered: Apr 2010
Posts: 3

Original Poster
Rep: Reputation: 0
Here are some exact lines from the log (this was shortly after a reboot):

[Thu Apr 08 06:45:55 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Apr 08 06:45:55 2010] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Thu Apr 08 06:45:55 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Apr 08 06:45:55 2010] [warn] RSA server certificate CommonName (CN) `u15376461.onlinehome-server.com' does NOT match server name!?
[Thu Apr 08 06:45:55 2010] [warn] Init: SSL server IP/port conflict: recumbent.tv:443 (/var/www/vhosts/recumbent.tv/conf/httpd.include:12) vs. horde.webmail:443 (/etc/httpd/conf.d/zzz_horde_vhost.conf:41)
[Thu Apr 08 06:45:55 2010] [warn] Init: SSL server IP/port conflict: rcmbnt.com:443 (/var/www/vhosts/rcmbnt.com/conf/httpd.include:12) vs. horde.webmail:443 (/etc/httpd/conf.d/zzz_horde_vhost.conf:41)
[Thu Apr 08 06:45:55 2010] [warn] Init: SSL server IP/port conflict: recumbentjournal.com:443 (/var/www/vhosts/recumbentjournal.com/conf/httpd.include:12) vs. horde.webmail:443 (/etc/httpd/conf.d/zzz_horde_vhost.conf:41)
[Thu Apr 08 06:45:55 2010] [warn] Init: SSL server IP/port conflict: default-74-208-68-193:443 (/etc/httpd/conf.d/zz010_psa_httpd.conf:78) vs. horde.webmail:443 (/etc/httpd/conf.d/zzz_horde_vhost.conf:41)
[Thu Apr 08 06:45:55 2010] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
[Thu Apr 08 06:45:55 2010] [notice] Digest: generating secret for digest authentication ...
[Thu Apr 08 06:45:55 2010] [notice] Digest: done
[Thu Apr 08 06:45:55 2010] [notice] mod_bw : Memory Allocated 0 bytes (each conf takes 32 bytes)
[Thu Apr 08 06:45:55 2010] [notice] mod_bw : Version 0.8 - Initialized [0 Confs]
[Thu Apr 08 06:45:56 2010] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Thu Apr 08 06:45:56 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Apr 08 06:45:56 2010] [warn] RSA server certificate CommonName (CN) `u15376461.onlinehome-server.com' does NOT match server name!?
[Thu Apr 08 06:45:56 2010] [warn] Init: SSL server IP/port conflict: recumbent.tv:443 (/var/www/vhosts/recumbent.tv/conf/httpd.include:12) vs. horde.webmail:443 (/etc/httpd/conf.d/zzz_horde_vhost.conf:41)
[Thu Apr 08 06:45:56 2010] [warn] Init: SSL server IP/port conflict: rcmbnt.com:443 (/var/www/vhosts/rcmbnt.com/conf/httpd.include:12) vs. horde.webmail:443 (/etc/httpd/conf.d/zzz_horde_vhost.conf:41)
[Thu Apr 08 06:45:56 2010] [warn] Init: SSL server IP/port conflict: recumbentjournal.com:443 (/var/www/vhosts/recumbentjournal.com/conf/httpd.include:12) vs. horde.webmail:443 (/etc/httpd/conf.d/zzz_horde_vhost.conf:41)
[Thu Apr 08 06:45:56 2010] [warn] Init: SSL server IP/port conflict: default-74-208-68-193:443 (/etc/httpd/conf.d/zz010_psa_httpd.conf:78) vs. horde.webmail:443 (/etc/httpd/conf.d/zzz_horde_vhost.conf:41)
[Thu Apr 08 06:45:56 2010] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
[Thu Apr 08 06:45:56 2010] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory

I installed logwatch per your suggestion. We'll see what that starts returning.
 
Old 04-08-2010, 07:03 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by TravisP View Post
sh: /env: No such file or directory
sh: /env: No such file or directory
sh: /env: No such file or directory
All I know is the (coreutils package) 'env' binary resides in /bin, so looking for it in "/" might be a chroot bug or something else. So unfortunately the posted log lines don't hold any clues. Please post details about what you're actually running on top of Apache (or whatever else web server) like PHPMyAdmin, CMSes, web logs, bulletin boards, whatever else, check your web server configuration, search for files the web server user owns (odd names or locations and such), and see if the user by any chance has a crontab file (just a hunch). BTW, did this problem occur always or after a certain date?


Quote:
Originally Posted by TravisP View Post
I installed logwatch per your suggestion. We'll see what that starts returning.
You can run Logwatch on past logs to assess what's been going on.
 
Old 04-27-2010, 11:41 AM   #5
TravisP
LQ Newbie
 
Registered: Apr 2010
Posts: 3

Original Poster
Rep: Reputation: 0
My /env listings in the error log seem to be happening at the same rate as the following in my access log:

::1 - - [27/Apr/2010:10:32:28 -0500] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"

And there are plenty of resources available for dealing with that issue, so I'll see if I can reduce my /env errors by addressing the number of dummy connections (I'm getting one every 5-25 seconds).

Logwatch returned the following:

Quote:
Commands Run:
User nobody:
php /var/www/*path removed*/cronjob/cronjob.php: 288 Time(s)
User root:
/usr/local/psa/admin/sbin/backupmng >/dev/null 2>&1: 96 Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/clean-events: 1 Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/clean-sysstats: 1 Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/pack-sysstats day: 1 Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/pack-sysstats week: 1 Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/secur-check: 1 Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/send-report weekly: 1 Time(s)
/usr/share/spamassassin/sa-update.cron 2>&1 | tee -a /var/log/sa-update.log: 1 Time(s)
run-parts /etc/cron.daily: 1 Time(s)
run-parts /etc/cron.hourly: 24 Time(s)

---------------------- Cron End -------------------------


--------------------- httpd Begin ------------------------

0.16 MB transferred in 730 responses (1xx 0, 2xx 720, 3xx 0, 4xx 10, 5xx 0)
295 Content pages (0.16 MB),
435 Other (0.00 MB)

Requests with error response codes
400 Bad Request
/w00tw00t.at.ISC.SANS.DFind:): 1 Time(s)
404 Not Found
/phpMyAdmin//scripts/setup.php: 2 Time(s)
/phpMyAdmin//setup/config.php?type=post: 2 Time(s)
/phpmyadmin//scripts/setup.php: 2 Time(s)
/phpmyadmin//setup/config.php?type=post: 2 Time(s)
/robots.txt: 1 Time(s)

A total of 1 ROBOTS were logged
Mozilla/4.0 (compatible; MSIE 5.01; Windows NT) 1 Time(s)

---------------------- httpd End -------------------------


--------------------- pam_unix Begin ------------------------

sshd:
Authentication Failures:
root (94.158.184.183): 192 Time(s)
root (74.3.202.169): 49 Time(s)
unknown (201.251.214.67): 45 Time(s)
root (217.24.240.68): 12 Time(s)
unknown (94.158.184.183): 10 Time(s)
unknown (91.214.45.66): 7 Time(s)
root (91.214.45.66): 3 Time(s)
mailman (201.251.214.67): 2 Time(s)
alias (201.251.214.67): 1 Time(s)
unknown (217.24.240.68): 1 Time(s)
Invalid Users:
Unknown Account: 63 Time(s)


---------------------- pam_unix End -------------------------


--------------------- SSHD Begin ------------------------


Didn't receive an ident from these IPs:
74.3.202.169 (74.3.202.169.reverse.gogrid.com): 1 Time(s)
80.149.17.129: 1 Time(s)

Failed logins from:
74.3.202.169 (74.3.202.169.reverse.gogrid.com): 49 times
root/password: 49 times
91.214.45.66 (hosted-by.altushost.com): 3 times
root/password: 3 times
94.158.184.183 (nat-94.158.184.183.transmedia.su): 192 times
root/password: 192 times
201.251.214.67 (251-201-214-67.mrse.com.ar): 3 times
mailman/password: 2 times
alias/password: 1 time
217.24.240.68: 12 times
root/password: 12 times

Illegal users from:
91.214.45.66 (hosted-by.altushost.com): 7 times
onlinehome-server/password: 3 times
u15376461/password: 3 times
com/password: 1 time
94.158.184.183 (nat-94.158.184.183.transmedia.su): 10 times
oracle/password: 4 times
test/password: 2 times
test1/password: 2 times
server/password: 1 time
test11/password: 1 time
201.251.214.67 (251-201-214-67.mrse.com.ar): 45 times
css/password: 5 times
autoset/password: 4 times
bgz/password: 4 times
at/password: 3 times
cactiuser/password: 3 times
man/password: 3 times
sanjay/password: 3 times
purehate/password: 2 times
ts/password: 2 times
ts2/password: 2 times
cacti/password: 1 time
cacto/password: 1 time
css1/password: 1 time
heekim/password: 1 time
lipis/password: 1 time
office/password: 1 time
recruit/password: 1 time
sales/password: 1 time
samba/password: 1 time
spam/password: 1 time
staff/password: 1 time
tomcat/password: 1 time
webadmin/password: 1 time
zarex/password: 1 time
217.24.240.68: 1 time
admin/password: 1 time


Received disconnect:
11: Bye Bye
201.251.214.67 : 47 Time(s)
217.24.240.68 : 13 Time(s)
94.158.184.183 : 202 Time(s)

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user recruit : 1 time(s)
reverse mapping checking getaddrinfo for 74.3.202.169.reverse.gogrid.com failed - POSSIBLE BREAK-IN ATTEMPT! : 49 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sanjay : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sales : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cacti : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user at : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user test : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user spam : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user admin : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user test1 : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user oracle : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user server : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bgz : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webadmin : 1 time(s)
reverse mapping checking getaddrinfo for hosted-by.altushost.com failed - POSSIBLE BREAK-IN ATTEMPT! : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user staff : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user test11 : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user autoset : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user purehate : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user samba : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tomcat : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cactiuser : 3 time(s)
reverse mapping checking getaddrinfo for nat-94.158.184.183.transmedia.su failed - POSSIBLE BREAK-IN ATTEMPT! : 202 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cacto : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user css : 5 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ts2 : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user com : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user u15376461 : 3 time(s)
reverse mapping checking getaddrinfo for 251-201-214-67.mrse.com.ar failed - POSSIBLE BREAK-IN ATTEMPT! : 48 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user lipis : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user zarex : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user css1 : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ts : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user man : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user heekim : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user onlinehome-server : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user office : 1 time(s)

---------------------- SSHD End -------------------------


--------------------- Disk Space Begin ------------------------

Filesystem Size Used Avail Use% Mounted on
/dev/md1 9.2G 275M 8.5G 4% /
/dev/md5 9.4G 2.1G 7.3G 23% /usr
/dev/md6 129G 2.6G 126G 2% /var


---------------------- Disk Space End -------------------------


###################### Logwatch End #########################
The cronjob that ran 288 times is a script that pulls content onto my Joomla site every 5 minutes. I've disabled that for now.

Last edited by TravisP; 04-27-2010 at 12:44 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
about httpd/error_log soroccoheaven Linux - Server 3 09-24-2007 12:54 AM
chroot: cannot run command `/tools/bin/env': No such file or directory Basel Linux From Scratch 5 06-30-2006 04:00 AM
Httpd restart-error_log report marius_vl Fedora 1 03-02-2006 04:23 AM
httpd error_log SIGTERM, shutting down mnauta Linux - Security 2 05-02-2003 01:23 PM
/var/log/httpd/error_log:Premature end of script headers! katana Linux - General 0 08-14-2001 07:41 AM


All times are GMT -5. The time now is 04:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration