My Wordpress website was down due to a database connection error.
When I looked into the cPanel error log I saw around a 100 rows that looked like these:
[Tue Apr 02 06:24:11.179218 2019] [cgi:error] [pid 31625] [client
50.3.196.173:41576] AH01215: PHP Warning: Error while sending QUERY packet. PID=31986 in /home/admin/public_html/wp-includes/wp-db.php on
line 1924: /usr/local/cpanel/cgi-sys/ea-php71, referer:
http://www.worldtravelawards.com/profile-4544-the-monte-carlo-beach
[Tue Apr 02 06:24:11.176124 2019] [cgi:error] [pid 31617] [client
196.247.235.184:60968] AH01215: PHP Warning: Error while sending QUERY packet. PID=31998 in
/home/admin/public_html/wp-includes/wp-db.php on line 1924:
/usr/local/cpanel/cgi-sys/ea-php71, referer:
http://www.worldtravelawards.com/profile-3005-walt-disney-world-swan-and-dolphin-resort
The referer is an external domain that somehow is accessing my wp-db.php file, causing a PHP, database-related, error. I did some research and came across subjects like "Bandwidth theft" and "Database injection", but I couldn't really find a good answer to a similar situation.
Any ideas what it could be and how to prevent this from happening? Thanks in advance!
Referer does not mean anything.
A HTTP_REFERER is a header sent by a browser primarily used for analytics that shows where did the user come from. In this example, a user clicked on a link on http://www.worldtravelawards.com/profile-4544-the-monte-carlo-beach webpage that leads to your website. www.worldtravelawards.com is not their actual hostname.
See: [Error while sending QUERY packet
for info about the PHP error.
Post Scriptum: Avoid posting actual IP addresses of your clients or domains of your website because it may lead to hacking attempts.
Related
I am newly using Google compute engine (GCP). I have a limited knowledge on programming yet i am hosting WordPress website in my server.
The problem is few days back my site got hacked or access by someone else. I received a message from GCE customer support that my account will be suspended if I don't stop using server for mining cryptocurrency. Now I have no idea what he was talking. Then I checked the files and can see lots of foreign files. He is apparently using my server to mine crypto, though nothing malicious or disruption of server..
As I have lots of edited and custom files and that I don't have backup files, my best option was to manually check and remove all those foreign files.. I have almost removed all the files but still there are files continously calling from somewhere else function or something that is tracing NOT FOUND error in error.log and access.log.. Looks like using cron jobs or something.. I have no idea where it's coming from.. I am just trying to find that file that is executing those functions.
error.log file:
[Tue Nov 13 15:03:34.595848 2018] [:error] [pid 31561] [client 66.249.66.150:47822] script '/var/www/example.com/tozeowi.php' not found or unable to $
[Tue Nov 13 15:05:56.744506 2018] [core:error] [pid 31587] [client 176.9.23.3:36328] AH00124: Request exceeded the limit of 10 internal redirects due to probable configurat$
Access.log file:
"GET /joapow1ok/tozeowi.php?serhtr=morgan-stanley-health-insurance-benefits'A=0 HTTP/1.1" 404 3621 "https://www.example.com/joapow1ok/tozeowi.php?"
If someone can help me find that file causing to execute that GET function.. Or is there any linux function to find figure out.
Note: I have disabled many plugins and my theme yet no luck.. I have 3 website in the same directory and all got infected.
I am using a plugin called Quickbooks Integration Woocommerce. I am having some problems getting this to work correctly. There is a more recent version of the plugin however I can not purchase as it is out of stock for some reason.
I also found This Github repository Which seems to be very similar to the plugin. Written by the same author. However I am not going to lie. I am in over my head. This is my first run at something like this and I cant seem to figure it out.
So I am hoping if I post my error logs, someone can help point me in the direction needed and possibly provide me with some answers.
For those that are not ware. You install the plugin and generate a .QWC file. You then upload that file to Quickbooks Web Connector and it will sync up your woocommerce products.
Here is my .QWC file:
<?xml version="1.0"?>
<QBWCXML>
<AppName>WooCommerce QuickBooks Connector</AppName>
<AppID></AppID>
<AppURL>https://my-site.com/?qbconnector=A2DRnLfb8qrU</AppURL>
<AppDescription>QuickBooks Connector for Woocommerce.</AppDescription>
<AppSupport>https://my-site.com/?qbconnector=support</AppSupport>
<UserName>ply-quickbooks-connection</UserName>
<OwnerID>{ADA96507-86F1-4FCC-B1FF-166DE1813D21}</OwnerID>
<FileID>{ADA96507-86F1-4FCC-B1FF-966DE1813D21}</FileID>
<QBType>QBFS</QBType>
<Notify>false</Notify>
<IsReadOnly>false</IsReadOnly>
</QBWCXML>
When I make the connection with Quickbooks Web Connector it seems to connect and authenticate. Then it proceeds to Say "SendRequestXML failed". Here is the Log file: https://jsfiddle.net/m8berLyu/. The thing that stood out to me is :
0161026.22:43:22 UTC : QBWebConnector.SOAPWebService.do_sendRequestXML() : QBWC1041: SendRequestXML failed.
Error message: Response is not well-formed XML.
And I have no clue what that means.
Here is my error logs from the server:
[Wed Oct 26 23:23:23.100819 2016] [:error] [pid 10927] [client ] PHP Notice: wpdb::prepare was called <strong>incorrectly</strong>. The query argument of wpdb::prepare() must have a placeholder. Please see Debugging in WordPress for more information. (This message was added in version 3.9.0.) in /nas/content/live/ply/wp-includes/functions.php on line 3996, referer: https://my-site.com/wp-admin/plugins.php?plugin_status=all&paged=1&s
[Wed Oct 26 23:23:45.015771 2016] [:error] [pid 10926] [client ] PHP Notice: unserialize(): Error at offset 65529 of 65535 bytes in /nas/content/live/ply/wp-content/plugins/woocommerce-quickbooks/QuickBooks/WebConnector/Handlers.php on line 756
[Wed Oct 26 23:35:09.153751 2016] [:error] [pid 312] [client ] PHP Notice: unserialize(): Error at offset 65532 of 65535 bytes in /nas/content/live/ply/wp-content/plugins/woocommerce-quickbooks/QuickBooks/WebConnector/Handlers.php on line 756
[Wed Oct 26 23:38:37.273773 2016] [:error] [pid 466] [client ] PHP Notice: wpdb::prepare was called <strong>incorrectly</strong>. The query argument of wpdb::prepare() must have a placeholder. Please see Debugging in WordPress for more information. (This message was added in version 3.9.0.) in /nas/content/live/ply/wp-includes/functions.php on line 3996, referer: https://my-site.com/wp-admin/admin.php?page=quickbooks_setup&tab=sod_qbconnector_setup
And finally the code on line 756 on Handlers.php:
$extra = '';
if ($next['extra'])
{
//Line 756 below
$extra = unserialize($next['extra']);
}
As always any help at all is greatly appreciated. I am not unfamiliar to PHP but I am completely a noob when it comes to this specifically. Please let me know if any other information is needed.
Thank You.
Cheers,
Sean
I also found This Github repository Which seems to be very similar to the plugin. Written by the same author.
It's actually not written by the same author (source: I'm the author).
I built the core library. They took it (it's open source, so that's cool) and then wrote a lot of their own "glue" code to integrate QuickBooks with WooCommerce.
Then it proceeds to Say "SendRequestXML failed".
Error message: Response is not well-formed XML.
Anytime you see this, it means there's something wrong with the PHP "glue" code.
WooCommerce is doing something bad/incorrect in their code.
Did you contact WooCommerce support and tell them their integration with QuickBooks is broken? You should.
This:
[Wed Oct 26 23:35:09.153751 2016] [:error] [pid 312] [client ] PHP Notice: unserialize(): Error at offset 65532 of 65535 bytes in /nas/content/live/ply/wp-content/plugins/woocommerce-quickbooks/QuickBooks/WebConnector/Handlers.php on line 756
Is a really good clue! Go you for debugging like this, that's awesome!
65535 bytes is the maximum size of a MySQL text column. If you look in your database, I bet that WooCommerce is building extremely large XML documents (exactly what they should NOT be doing) and trying to store them in MySQL (probably in the quickbooks_queue SQL table).
They should not be doing this. If they are storing XML in the quickbooks_queue table, then they are doing things wrong.
You might be able to temporarily fix your issue by changing the SQL quickbooks_queue.extra column to a longtext type. It's a terrible hack to get around WooCommerce's broken implementation, but it might work/be worth a try.
Failing that, your first step should be to talk to WooCommerce support. Tell them to reach out to me if they need help -- I'd be happy to help! I talk to people all the time that suffer from their broken implementation, and would be happy to help them improve it!
joomla 2.5.18
php -5.4.12
apache - 2.4.4
mysql - 5.6.12 ,
I am trying to post data on particular url and get the response, Here is my code
jimport('joomla.http');
$data = array('foo' => 'bar'); //sample data array
$transport = null;
$transportWrappers=array('JHttpTransportCurl','JHttpTransportStream','JHttpTransportSocket');
$moduleParams = new JRegistry();
while (!$transport && $transportWrappers)
try{
$wrapper = array_shift($transportWrappers);
$transport = new $wrapper($moduleParams);
}
catch (Exception $e){
continue;
}
$http = new JHttp($moduleParams, $transport);
$url = 'my_url';
$response = $http->post($url,$data);
print_r($response);
I have also checked other forums with same problem , they suggested to check #_update_sites table , my table is fine, no unknown data is there .
I am unable to figure out where is the problem.I tried the same code for different url.It worked.
I dont think there is problem in my url.
Here is my apache log error
[Wed Mar 26 13:50:51.154818 2014] [:error] [pid 4504:tid 1664] [client
::1:51174] PHP 13. JHttp->post()
C:\wamp\www\joomla\components\com_name\views\abc\tmpl\default.php:70
[Wed Mar 26 13:50:51.154818 2014] [:error] [pid 4504:tid 1664] [client
::1:51174] PHP 14. JHttpTransportCurl->request()
C:\wamp\www\joomla\libraries\joomla\http\http.php:122 [Wed Mar
26 13:50:51.154818 2014] [:error] [pid 4504:tid 1664] [client
::1:51174] PHP 15. JHttpTransportCurl->getResponse()
C:\wamp\www\joomla\libraries\joomla\http\transport\curl.php:134
Please help here.
[UPDATED]
It was the Wamp version problem , i tried the same codes in Xampp and it worked.
Introduction
The Web server (running the Web Site) encountered an unexpected condition that prevented it from fulfilling the request by the client (e.g. your Web browser or our CheckUpDown robot) for access to the requested URL.
This is a 'catch-all' error generated by the Web server. Basically something has gone wrong, but the server can not be more specific about the error condition in its response to the client. In addition to the 500 error notified back to the client, the Web server should generate some kind of internal error log which gives more details of what went wrong. It is up to the operators of the Web server site to locate and analyse these logs. (Last updated: October 2013)
Fixing 500 errors - general
This error can only be resolved by fixes to the Web server software. It is not a client-side problem. It is up to the operators of the Web server site to locate and analyse the logs which should give further information about the error.
Fixing 500 errors - CheckUpDown
Our service monitors your site for HTTP errors like 500. Please contact us (email preferred) whenever you encounter 500 errors on your CheckUpDown account. We then have to liaise with your ISP and the vendor of the Web server software so they can trace the exact reason for the error. Correcting the error may require recoding program logic for the Web server software, which could take some time.
I've been having tonnes of issues with Mod Security. I am busy writing a CMS for a project at work and while developing a page to edit a certain database record I kept getting 403 errors. After hours of banging my head against my desk, adjusting bits of code I finally just changed the script to which my form was being posted, to contain a simple echo "test";. Even submitting to this simple page was kicking up a 403 error. I messed about with my form and I eventually found that if I reduced the amount of data I was posting the form submitted fine (In particular I reduce the amount of text within a textarea).
After checking the logs (Yep, this wasn't the first thing I did - sigh) I noticed that I was getting numerous errors from ModSecurity, such as:
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//global": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//ip": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "93"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
I've been messing around, Googling and changing rules for days to no avail. The only thing I seem to be able to do is turn ModSecurity off for this vhost. This is fine by me while I'm developing the CMS, but in production this isn't really something I want to do. Does anyone have any ideas on what is causing this issue and how to sort it? The logs seem to point at some kind rules to do with regular expression limits, but since changing my post receiving script to just print out the word test I'm not doing anything with them (Though I have tried upping the limits through SecPcreMatchLimit and SecPcreMatchLimitRecursion). It seems rather that there's something wrong with the amount of data I am sending through.
I've just resolved a similar issue, with a large post triggering PCRE limit errors in multiple rules. I feel it's wrong for mod-security to then flag the request as malicious just because it blew up!
I raised the two settings you mentioned from the default to 500,000 from the default of 1,500 as advised in this post, and it solved my problem.
The default values for the PCRE Match limit are very, very low with
ModSecurity. You can got to 500K usually without harming your set. But
for your information: The PCRE Match limit is meant to reduce the
chance for a DoS attack via Regular Expressions. So by raising the
limit you raise your vulnerability in this regard, but the PCRE errors
are much worse from a security perspective. I run with 500K in prod
usually:
SecPcreMatchLimit 500000 SecPcreMatchLimitRecursion 500000
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/656
Also see
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecPcreMatchLimit
I had a similar issue with PCRE module a few weeks ago and it was related to backtrack_limits.
I assume SecPcreMatchLimit and SecPcreMatchLimitRecursion are related to mod_security, but did you try upping the values for pcre module in your php.ini file or during PHP execution time?
pcre.backtrack_limit and pcre.recursion_limit
You could also confirm if the issue is related to PCRE limits with the following function preg_last_error()
You can see more here: http://php.net/manual/en/function.preg-last-error.php
and here: http://www.php.net/manual/en/pcre.constants.php
I hope this helps.
Has anyone ever seen the below error in a site running on Concrete CMS ?
This is from the apache error log file
[Thu Jan 31 08:06:51 2013] [error] [client 41.56.88.53] File does not
exist: /va
r/www/\r\n SomeCustomInjectedHeader:injected_by_wvs, referer:
http://www.mysite.com:80/ [Thu Jan 31 08:06:51 2013] [error] [client
41.56.88.53] File does not exist: /va r/www/\n SomeCustomInjectedHeader:injected_by_wvs, referer:
http://www.mysite.com
Looks like some kind of injected file. Does anyone have any idea how I can find what is causing those entries in the error logs?
That has nothing to do with concrete5. It's a scan from an external source, looking for some sort of vulnerability.
This could be good (some hosting providers might do it to make sure you're not going to get hacked) or bad (someone looking for a machine to attack). But bad is relative. It's like returning to your car and seeing that someone touched your door handle.... If you watch your logs, you'll see plenty of blind attacks like this.