I am getting the Apache Errors from AWS PHP Library, Here is the error I am getting from Apache error log file,
[Fri Aug 09 15:47:12 2013] [error] Failed to determine HOME directory after trying "sh: 1: cd: can't cd to ~" (exit code 2)
[Fri Aug 09 15:47:12 2013] [error] PHPSESSID f97oht9qlsuvknc45t075hohn5
[Fri Aug 09 15:47:12 2013] [error] f97oht9qlsuvknc45t075hohn5
[Fri Aug 09 15:47:12 2013] [error] f97oht9qlsuvknc45t075hohn5 =
I tried to fix the error with the help of these steps, after that I got the other 3 lines errors,
[Fri Aug 09 15:47:12 2013] [error] PHPSESSID f97oht9qlsuvknc45t075hohn5
[Fri Aug 09 15:47:12 2013] [error] f97oht9qlsuvknc45t075hohn5
[Fri Aug 09 15:47:12 2013] [error] f97oht9qlsuvknc45t075hohn5 =
How do I fix these errors?
Thanks for advance help.
If you are using version 1.6.x of the SDK and explicitly providing credentials to the client object (instead of relying the SDK's config discovery mechanism), then you could try using the AWS_DISABLE_CONFIG_AUTO_DISCOVERY constant to circumvent all of the self-discovery code.
You must define the constant before you include the SDK.
define('AWS_DISABLE_CONFIG_AUTO_DISCOVERY', true);
require '/path/to/sdk.class.php';
This will remove the need of the hack as described on isnoop's blog and may also resolve the issue with the other three lines showing up in your log (though I'm not sure why the SDK would cause those lines to appear).
Related
My developer team at General Motors has no PHP experience but we have to help with a Drupal/PHP site that went down. I took the 10 lines from the error logs that look important. Could anyone help us understand what's happening from these 10 lines? Any help is appreciated.
PHP Warning: Module 'hash' already loaded in Unknown on line 0
[Sun Jul 23 11:30:04 2017] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips configured -- resuming normal operations
[Sun Jul 23 11:30:05 2017] [notice] Graceful restart requested, doing restart
PHP Warning: Module 'hash' already loaded in Unknown on line 0
[Sun Jul 23 11:30:05 2017] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips configured -- resuming normal operations
[Sun Jul 23 11:30:39 2017] [error] [client 198.208.85.51] ALERT - possible memory corruption detected - unknown Hashtable destructor (attacker '198.208.85.51', file '/www/theblog/index.php', line 19), referer: https://theblog.com/
[Sun Jul 23 22:18:58 2017] [error] Hostname theblock.com. provided via SNI and hostname theblock.com provided via HTTP are different
[Sun Jul 23 22:18:58 2017] [error] Hostname theblock.com. provided via SNI and hostname theblock.com provided via HTTP are different
[Sun Jul 23 22:59:46 2017] [error] [client 198.208.85.51] PHP Fatal error: Call to a member function getElementsByTagName() on a non-object in /www/theblock/modules/filter/filter.module on line 1123
[Sun Jul 23 23:07:21 2017] [error] [client 198.208.85.51] PHP Fatal error: Call to a member function getElementsByTagName() on a non-object in /www/theblock/modules/filter/filter.module on line 1123
Recollecting what was last done might help to resolve your issue. Since in apache error log the showing issue in filter module, check for latest text format if you have updated. (The failing point is when conversion happens from a DOM object back to an HTML snippet). Also verify if you have installed any new module prior to this failure.(if yes try to disable that module using db)
I host 3 web site on an vps.
each has a phpt test script
a1.com/test.php
a2.com/test.php
a3.com/test.php
a1.com/test.php
a2.com/test.php
work well
but when I call
a3.com/test.php
it always report error
[Wed Jan 28 01:01:52.801563 2015]
[fcgid:warn] [pid 27783] (104)Connection reset by peer:
[client ***.***.27.***:50211]
mod_fcgid: error reading data from FastCGI server
[Wed Jan 28 01:01:52.801651 2015] [core:error] [pid 27783]
[client ***.***.27.***:50211]
End of script output before headers: test.php
your comment welcome
Speaking on personal experience, make sure that the directory/file permissions are set properly on a3.com/test.php. If not set properly they can result in a 500 error
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
There is some very strange activity happening on my server today. I am hitting Max Apache connections but cannot find anything that could be causing it (I don't think I am being DOS attacked or anything).
I checked my Apache logs and found some weird things.
First:
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] --2013-08-13 09:41:13-- http://heatinasnap.net/gs.txt, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] 2013-08-13 09:41:13 ERROR 404: Not Found., referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] , referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] --2013-08-13 09:41:31-- http://heatinasnap.net/gs.txt, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] 2013-08-13 09:41:31 ERROR 404: Not Found., referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] , referer: http://example.net/members
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] --2013-08-13 09:41:33-- http://heatinasnap.net/gs.txt, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] 2013-08-13 09:41:33 ERROR 404: Not Found., referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] , referer: http://example.net/forum/viewtopic.php?f=9&t=674
I have no idea what heatinasnap.net is (never heard of it).
And second, some sort of vulnerability scanner:
[Tue Aug 13 09:41:40 2013] [error] [client 220.248.145.30] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "55"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.mysite.net"] [uri "/"] [unique_id "UgpFpK339QIAAFT1Y2MAAAAC"]
[Tue Aug 13 09:41:41 2013] [error] [client 220.248.145.30] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "55"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "mysite.net"] [uri "/406.shtml"] [unique_id "UgpFpa339QIAAGfpU5MAAAUD"]
[Tue Aug 13 09:41:41 2013] [error] [client 220.248.145.30] File does not exist: /home/hellohel/public_html/406.shtm
Here is my current apache status:
CPU Usage: u147.51 s128.44 cu2247.28 cs0 - 146% CPU load
147 requests/sec - 2.3 MB/second - 16.4 kB/request
512 requests currently being processed, 0 idle workers
I did not see any MaxClient errors in Apache though. There is definitely something weird going on...can anyone provide some insight?
Update:
The cause of the apache hitting max-clients turned out to be a slowloris DOS attack, which was fixed with the apache Mod_Antiloris. Install instructions here:
http://www.hostingdiscussion.com/hardware-server-configuration/27399-installing-mod_antiloris-mitigate-slowloris-dos-attack.html
Update2:
I am not sure if it was luck or not, but the slowloris thing just solved it for a few minutes. It went back to 512 (max) connections shortly after. I am seeing some very high CPU load on simple scripts so I am wondering if it has something to do with handling large log files. One is just a css file taking up `24.66 CPU`. Check out just a few processes:
Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-0 31154 0/45/45 R 23.85 3 1 0.0 0.47 0.47 ? ? ..reading..
0-0 31154 0/36/36 _ 24.66 0 1 0.0 0.43 0.43 81.152.251.175 mysite.net GET /css/dwn.css HTTP/1.1
0-0 31154 0/33/33 R 23.92 2 179 0.0 0.69 0.69 ? ? ..reading..
0-0 31154 0/1/1 W 0.07 119 0 0.0 0.00 0.00 117.102.163.190 mysite.net POST /includes/offers/ajax.php HTTP/1.1
0-0 31154 1/64/64 C 24.74 0 1 26.8 1.85 1.85 24.127.122.188 mysite.net GET /images/soc.png HTTP/1.1
0-0 31154 0/51/51 _ 24.87 0 899 0.0 0.78 0.78 86.111.144.194 mysite.net GET /includes/offers/window.php?file=57860&tooltip=true HTTP/1.
0-0 31154 0/18/18 R 11.00 77 1 0.0 0.27 0.27 ? ? ..reading..
It looks as though your site is opening remote files because those messages indicate that your Apache server is performing a look-up through DNS.
To look for bad code
You would need to figure out what method they're using to access the box. Then look into that code and try to find something out of the ordinary. They will typically use things like exec() and base64_decode() to hide the code, then you can grep for those. Also grep for things like fopen(), fread(), file_get_contents(), and even curl_init(). If you find any of these scripts in places where you're not expecting them, then that will be your exploit.
You should be able to look for outbound traffic on the box using something like conntrackd, ntop, argus, bro-ids, and sancp.
Attempt at a quick fix
Go into the php.ini file and check the system configuration settings for allow_url_fopen and allow_url_include. It looks as though someone is trying to get your site to open the txt file from their site (where the payload exists).
If those settings allow remote opening, then that's how they're causing this behavior. Someone more than likely opened a file on your server from their server and caused an exploit.
If they have code on your box, then you will need to wipe out the contents of the box and update the code from one of your back-ups once the php.ini file has been fixed. Otherwise they could try to change settings on the front-end with their already hosted code using things like ini_set.
Making no changes to the code or settings and restoring from backup will not prevent the behavior. Additionally, you can use something like IPtables to block all outbound requests to heatinasnap.net and its resolved IP [173.254.28.65].
If you're using something like file_get_contents it will be disabled by making this change. cURL on the other hand uses its own libraries and is not going to be affected by the change. Any code on the server can still use cURL though, (even if it's not yours).
Update for DOS Attack
Since you think this is a DOS instead, you might try using mod_reqtimeout. Good settings would be:
RequestReadTimeout header=10 body=30
I have to call a SOAP WS on a .Net server, using (from my customer documentation)
SOAP 1.1
WS-Addressing (August 2004)
WS-Security 1.1
WS-Trust (February 2005)
WS-SecureConversation (February 2005)
WS-SecurityPolicy 1.1
I use WSO2 WSF/PHP (wso2-wsf-php-src-2.1.0.zip file), here is my client
function appel($rec_cert, $pvt_key, $sUrl)
{
$reqPayloadString = <<<XML
<ns1:echo xmlns:ns1="http://wso2.org/wsfphp/samples"><text>Hello World!</text></ns1:echo>
XML;
$sPolicy = dirname(__FILE__) . '/policy.xml';
$sAction = "http://www.aaa.fr/SendMessage";
$reqMessage = new WSMessage($reqPayloadString, array("to" => $sUrl, "action" => $sAction));
$policy_xml = file_get_contents($sPolicy);
$policy = new WSPolicy($policy_xml);
$sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" => $rec_cert));
$client = new WSClient(array(
"useSOAP"=>1.1,
"useWSA" => 1.0,
"policy" => $policy,
"securityToken" => $sec_token,
));
$resMessage = $client->request($reqMessage);
printf("Response = %s \n", $resMessage->str);
}
On my local webservice, it run fine, but just throw an Exception "Error , NO Response Received" on my customer preproduction server. I just don't use the same keys and certificates, as I have not the customer secret key.
Here is my local webservice
<?php
function echoFunction($inMessage) {
$returnMessage = new WSMessage($inMessage->str);
return $returnMessage;
}
$pub_key = ws_get_cert_from_file("/var/www/samples/security/keys/alice_cert.cert");
$pvt_key = ws_get_key_from_file("/var/www/samples/security/keys/bob_key.pem");
$operations = array("echoString" => "echoFunction");
$actions = array("http://www.aaa.fr/SendMessage" => "echoString");
$policy = new WSPolicy(file_get_contents("policy.xml"));
$sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" => $pub_key));
$svr = new WSService(array(
"actions" => $actions,
"operations" => $operations,
"policy" => $policy,
"securityToken" => $sec_token));
$svr->reply();
The big problem is this error happened for a non-existant url, a different policy between client and server, and severals others errors I can create on my server.
There is a first evidence, from the wsf_php_client.log :
[Mon Jan 28 15:49:02 2013] [error] assertion_builder.c(510) [neethi] Unknown Assertion RampartConfig with namespace http://ws1.apache.org/rampart/policy
[Mon Jan 28 15:49:02 2013] [error] engine.c(548) [neethi] Assertion creation failed from element.
[Mon Jan 28 15:49:02 2013] [error] engine.c(145) [neethi] All creation failed
[Mon Jan 28 15:49:02 2013] [error] engine.c(473) [neethi] All creation failed from element.
[Mon Jan 28 15:49:02 2013] [error] engine.c(190) [neethi] Exactlyone creation failed.
[Mon Jan 28 15:49:02 2013] [error] engine.c(496) [neethi] Exactlyone creation failed from element.
[Mon Jan 28 15:49:02 2013] [error] engine.c(285) [neethi] Policy creation failed.
and a second one (I am searching about this)
[Mon Jan 28 16:18:13 2013] [info] Starting addressing out handler
[Mon Jan 28 16:18:13 2013] [debug] http_transport_sender.c(241) ctx_epr:https://recette.customer.fr/securit.svc
[Mon Jan 28 16:18:13 2013] [debug] http_transport_sender.c(776) using axis2 native http sender.
[Mon Jan 28 16:18:13 2013] [debug] http_sender.c(494) msg_ctx_id:urn:uuid:ef0a33e6-695d-1e21-2453-d43d7e273c95
[Mon Jan 28 16:18:13 2013] [debug] http_transport_utils.c(3794) No session map stored
[Mon Jan 28 16:18:13 2013] [info] [ssl client] CA certificate not specified
[Mon Jan 28 16:18:13 2013] [error] ssl/ssl_utils.c(50) Cannot find certificates
[Mon Jan 28 16:18:13 2013] [error] ssl/ssl_stream.c(99) Error occurred in SSL engine
[Mon Jan 28 16:18:13 2013] [error] http_client.c(294) Data stream creation failed for Host recette.customer.fr and 443 port
[Mon Jan 28 16:18:13 2013] [error] http_client.c(560) Client data stream null or socket error for host recette.customer.fr and 443 port
[Mon Jan 28 16:18:13 2013] [error] http_client.c(562) A read attempt(HTTP) for the reply without sending the request
[Mon Jan 28 16:18:13 2013] [error] http_sender.c(1303) status_code < 0
[Mon Jan 28 16:18:13 2013] [error] engine.c(171) Transport sender invoke failed
[Mon Jan 28 16:18:13 2013] [error] /home/cedric/wso2-wsf-php-src-2.1.0/src/wsf_client.c(1696) [WSF/PHP] Response Payload NULL( Error number and code) => : 76 :: A read attempt(HTTP) for the reply without sending the request
Where can I find more information to resolve my problem? I already ask the customer to tell me if he have any trace of my WS calls (but I still have no answer for now).
I think your server doesn't start SSL communication with remote server. This can happen if it cannot trace it's certificate to root certificate authority that it knows (see https://en.wikipedia.org/wiki/Root_certificate).
Usually you can either disable this chechk (if you would use CURL for example), or better - provide path to ca.crt file.. by default Apache should know where it is.. for example its configuration might include
SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/keys/ca.crt"
(as mentioned in http://wso2.org/library/articles/ssl-enabled-web-services-apache-axis2-c)
After installing MODX Revolution I cannot log in - just a blank page is displayed. My setup: MODX downloaded from git, PHP 5.3, Apache 2.2, OS ubuntu.
In apache error log I see this message:
[Sun Sep 04 08:03:12 2011] [error] PHP Fatal error: Call to a member
function render() on a non-object in
/var/www/modx/manager/controllers/default/welcome.class.php on line
64 [Sun Sep 04 08:03:12 2011] [error] PHP Stack trace: [Sun Sep 04
08:03:12 2011] [error] PHP 1. {main}()
/var/www/modx/manager/index.php:0 [Sun Sep 04 08:03:12 2011] [error]
PHP 2. modManagerRequest->handleRequest()
/var/www/modx/manager/index.php:71 [Sun Sep 04 08:03:12 2011] [error]
PHP 3. modManagerRequest->prepareResponse()
/var/www/modx/core/model/modx/modmanagerrequest.class.php:124 [Sun
Sep 04 08:03:12 2011] [error] PHP 4.
modManagerResponse->outputContent()
/var/www/modx/core/model/modx/modmanagerrequest.class.php:173 [Sun
Sep 04 08:03:12 2011] [error] PHP 5. modManagerController->render()
/var/www/modx/core/model/modx/modmanagerresponse.class.php:106 [Sun
Sep 04 08:03:12 2011] [error] PHP 6.
WelcomeManagerController->process()
/var/www/modx/core/model/modx/modmanagercontroller.class.php:133
Actually, Paul Graffam is right in the comments, when building from git (either through a clone or download from github), you need to run transport.core.php as well as some other things the first time you do it.
Specific instructions can be found here: http://rtfm.modx.com/display/revolution20/Git+Installation
An alternative if you don't want to go through those steps is to download a nightly build from http://modx.com/download/nightlies/ - you can install them as normal there.
(Realise I'm a bit late to the question, but figured others might stuble across it in the future and there's no answer yet)