Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
There is some very strange activity happening on my server today. I am hitting Max Apache connections but cannot find anything that could be causing it (I don't think I am being DOS attacked or anything).
I checked my Apache logs and found some weird things.
First:
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] --2013-08-13 09:41:13-- http://heatinasnap.net/gs.txt, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] 2013-08-13 09:41:13 ERROR 404: Not Found., referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] , referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] --2013-08-13 09:41:31-- http://heatinasnap.net/gs.txt, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] 2013-08-13 09:41:31 ERROR 404: Not Found., referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] , referer: http://example.net/members
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] --2013-08-13 09:41:33-- http://heatinasnap.net/gs.txt, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] 2013-08-13 09:41:33 ERROR 404: Not Found., referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] , referer: http://example.net/forum/viewtopic.php?f=9&t=674
I have no idea what heatinasnap.net is (never heard of it).
And second, some sort of vulnerability scanner:
[Tue Aug 13 09:41:40 2013] [error] [client 220.248.145.30] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "55"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.mysite.net"] [uri "/"] [unique_id "UgpFpK339QIAAFT1Y2MAAAAC"]
[Tue Aug 13 09:41:41 2013] [error] [client 220.248.145.30] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "55"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "mysite.net"] [uri "/406.shtml"] [unique_id "UgpFpa339QIAAGfpU5MAAAUD"]
[Tue Aug 13 09:41:41 2013] [error] [client 220.248.145.30] File does not exist: /home/hellohel/public_html/406.shtm
Here is my current apache status:
CPU Usage: u147.51 s128.44 cu2247.28 cs0 - 146% CPU load
147 requests/sec - 2.3 MB/second - 16.4 kB/request
512 requests currently being processed, 0 idle workers
I did not see any MaxClient errors in Apache though. There is definitely something weird going on...can anyone provide some insight?
Update:
The cause of the apache hitting max-clients turned out to be a slowloris DOS attack, which was fixed with the apache Mod_Antiloris. Install instructions here:
http://www.hostingdiscussion.com/hardware-server-configuration/27399-installing-mod_antiloris-mitigate-slowloris-dos-attack.html
Update2:
I am not sure if it was luck or not, but the slowloris thing just solved it for a few minutes. It went back to 512 (max) connections shortly after. I am seeing some very high CPU load on simple scripts so I am wondering if it has something to do with handling large log files. One is just a css file taking up `24.66 CPU`. Check out just a few processes:
Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-0 31154 0/45/45 R 23.85 3 1 0.0 0.47 0.47 ? ? ..reading..
0-0 31154 0/36/36 _ 24.66 0 1 0.0 0.43 0.43 81.152.251.175 mysite.net GET /css/dwn.css HTTP/1.1
0-0 31154 0/33/33 R 23.92 2 179 0.0 0.69 0.69 ? ? ..reading..
0-0 31154 0/1/1 W 0.07 119 0 0.0 0.00 0.00 117.102.163.190 mysite.net POST /includes/offers/ajax.php HTTP/1.1
0-0 31154 1/64/64 C 24.74 0 1 26.8 1.85 1.85 24.127.122.188 mysite.net GET /images/soc.png HTTP/1.1
0-0 31154 0/51/51 _ 24.87 0 899 0.0 0.78 0.78 86.111.144.194 mysite.net GET /includes/offers/window.php?file=57860&tooltip=true HTTP/1.
0-0 31154 0/18/18 R 11.00 77 1 0.0 0.27 0.27 ? ? ..reading..
It looks as though your site is opening remote files because those messages indicate that your Apache server is performing a look-up through DNS.
To look for bad code
You would need to figure out what method they're using to access the box. Then look into that code and try to find something out of the ordinary. They will typically use things like exec() and base64_decode() to hide the code, then you can grep for those. Also grep for things like fopen(), fread(), file_get_contents(), and even curl_init(). If you find any of these scripts in places where you're not expecting them, then that will be your exploit.
You should be able to look for outbound traffic on the box using something like conntrackd, ntop, argus, bro-ids, and sancp.
Attempt at a quick fix
Go into the php.ini file and check the system configuration settings for allow_url_fopen and allow_url_include. It looks as though someone is trying to get your site to open the txt file from their site (where the payload exists).
If those settings allow remote opening, then that's how they're causing this behavior. Someone more than likely opened a file on your server from their server and caused an exploit.
If they have code on your box, then you will need to wipe out the contents of the box and update the code from one of your back-ups once the php.ini file has been fixed. Otherwise they could try to change settings on the front-end with their already hosted code using things like ini_set.
Making no changes to the code or settings and restoring from backup will not prevent the behavior. Additionally, you can use something like IPtables to block all outbound requests to heatinasnap.net and its resolved IP [173.254.28.65].
If you're using something like file_get_contents it will be disabled by making this change. cURL on the other hand uses its own libraries and is not going to be affected by the change. Any code on the server can still use cURL though, (even if it's not yours).
Update for DOS Attack
Since you think this is a DOS instead, you might try using mod_reqtimeout. Good settings would be:
RequestReadTimeout header=10 body=30
Related
My developer team at General Motors has no PHP experience but we have to help with a Drupal/PHP site that went down. I took the 10 lines from the error logs that look important. Could anyone help us understand what's happening from these 10 lines? Any help is appreciated.
PHP Warning: Module 'hash' already loaded in Unknown on line 0
[Sun Jul 23 11:30:04 2017] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips configured -- resuming normal operations
[Sun Jul 23 11:30:05 2017] [notice] Graceful restart requested, doing restart
PHP Warning: Module 'hash' already loaded in Unknown on line 0
[Sun Jul 23 11:30:05 2017] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips configured -- resuming normal operations
[Sun Jul 23 11:30:39 2017] [error] [client 198.208.85.51] ALERT - possible memory corruption detected - unknown Hashtable destructor (attacker '198.208.85.51', file '/www/theblog/index.php', line 19), referer: https://theblog.com/
[Sun Jul 23 22:18:58 2017] [error] Hostname theblock.com. provided via SNI and hostname theblock.com provided via HTTP are different
[Sun Jul 23 22:18:58 2017] [error] Hostname theblock.com. provided via SNI and hostname theblock.com provided via HTTP are different
[Sun Jul 23 22:59:46 2017] [error] [client 198.208.85.51] PHP Fatal error: Call to a member function getElementsByTagName() on a non-object in /www/theblock/modules/filter/filter.module on line 1123
[Sun Jul 23 23:07:21 2017] [error] [client 198.208.85.51] PHP Fatal error: Call to a member function getElementsByTagName() on a non-object in /www/theblock/modules/filter/filter.module on line 1123
Recollecting what was last done might help to resolve your issue. Since in apache error log the showing issue in filter module, check for latest text format if you have updated. (The failing point is when conversion happens from a DOM object back to an HTML snippet). Also verify if you have installed any new module prior to this failure.(if yes try to disable that module using db)
I have encountered "zend_mm_heap corrupted" Error on my app server.
error_log trace is below
[Fri Oct 16 23:25:57 2015] [error] [client "client ip"] zend_mm_heap corrupted
[Fri Oct 16 23:25:57 2015] [error] [client "client ip"] Premature end of script headers: index.php
[Fri Oct 16 23:25:57 2015] [error] [client "client ip"] zend_mm_heap corrupted
[Fri Oct 16 23:25:57 2015] [error] [client "client ip"] Premature end of script headers: index.php
[Fri Oct 16 23:25:58 2015] [error] [client "client ip"] zend_mm_heap corrupted, referer: http://domain/
[Fri Oct 16 23:25:58 2015] [error] [client "client ip"] Premature end of script headers: index.php, referer: http://domain/
[Fri Oct 16 23:25:58 2015] [error] [client "client ip"] zend_mm_heap corrupted, referer: http://domain/
[Fri Oct 16 23:25:58 2015] [error] [client "client ip"] Premature end of script headers: index.php, referer: http://domain/
I tried different approach bu no luck. Any Idea how this problem can be fixed.
Thanks in advance
Update : Issue is resolved now.
Made two changes in app server to clear the issues.
One reinstalled the frame work used in the server. that resolved the issue of zend_mm_heap.
Secondly removed unwanted extension of homeloader.so from php.ini to end the error of Premature end of script headers: index.php.
I am getting the Apache Errors from AWS PHP Library, Here is the error I am getting from Apache error log file,
[Fri Aug 09 15:47:12 2013] [error] Failed to determine HOME directory after trying "sh: 1: cd: can't cd to ~" (exit code 2)
[Fri Aug 09 15:47:12 2013] [error] PHPSESSID f97oht9qlsuvknc45t075hohn5
[Fri Aug 09 15:47:12 2013] [error] f97oht9qlsuvknc45t075hohn5
[Fri Aug 09 15:47:12 2013] [error] f97oht9qlsuvknc45t075hohn5 =
I tried to fix the error with the help of these steps, after that I got the other 3 lines errors,
[Fri Aug 09 15:47:12 2013] [error] PHPSESSID f97oht9qlsuvknc45t075hohn5
[Fri Aug 09 15:47:12 2013] [error] f97oht9qlsuvknc45t075hohn5
[Fri Aug 09 15:47:12 2013] [error] f97oht9qlsuvknc45t075hohn5 =
How do I fix these errors?
Thanks for advance help.
If you are using version 1.6.x of the SDK and explicitly providing credentials to the client object (instead of relying the SDK's config discovery mechanism), then you could try using the AWS_DISABLE_CONFIG_AUTO_DISCOVERY constant to circumvent all of the self-discovery code.
You must define the constant before you include the SDK.
define('AWS_DISABLE_CONFIG_AUTO_DISCOVERY', true);
require '/path/to/sdk.class.php';
This will remove the need of the hack as described on isnoop's blog and may also resolve the issue with the other three lines showing up in your log (though I'm not sure why the SDK would cause those lines to appear).
I am not sure if this is related to PHP code/Joomla plugin/component or server issue so to go and post my question at serverfault.
I have a dedicated server running CentOS release 6.4 (Final) and CPanel 11.38.1 (build 15) with [Apache/2.2.24 (Unix) PHP/5.2.17] and recently we had brute force attacks which were causing system hangs with messages like "HANG: chkservd on server". After setting up a DenyHosts and changing ssh default port the server stabilized for some days until it started to suddenly hang with no specific errors in logs nor any email notifications.
The server runs just one website but with some traffic (about 2000 visitors per day) and a large Joomla database. The site was up and running flawlessly since March 2013, until two weeks ago.
After investigating, I have noticed that the error_log under the public_html (default Joomla site directory) size was over 200MB but with no specific error messages but just lines with date/time and zeros "0"!
[24-Jul-2013 12:09:18] 0
[24-Jul-2013 12:09:18] 0
[24-Jul-2013 12:09:18] 0
[24-Jul-2013 12:09:19] 0
[24-Jul-2013 12:09:19] 0
[24-Jul-2013 12:09:19] 0
[24-Jul-2013 12:09:19] 0
[24-Jul-2013 12:09:20] 0
[24-Jul-2013 12:09:26] 0
[24-Jul-2013 12:09:26] 0
[24-Jul-2013 12:09:30] 0
Almost every second, thousand lines like those above!
Sometimes the site crashes with "jos-Error: Application Instantiation Error" and some other times with an error:
PHP Fatal error: Call to a member function get() on a non-object in ...
which is due to database issues when Joomla tries to load params from the database and it fails.
I have setup a backup of the site on a local windows server machine with apache and php installed [Apache/2.2.19 (Win32) PHP/5.3.6] and these zero "0" errors also spawn on every site call with some more details in \Apache2\logs\error.log like:
[Wed Jul 24 14:42:32 2013] [error] [client 192.168.1.66] 0, referer: http://virtdev.ose.domain.com/
[Wed Jul 24 14:42:32 2013] [error] [client 192.168.1.66] 0, referer: http://virtdev.ose.domain.com/
[Wed Jul 24 14:42:32 2013] [error] [client 192.168.1.66] 0, referer: http://virtdev.ose.domain.com/
[Wed Jul 24 14:42:33 2013] [error] [client 192.168.1.66] 0, referer: http://virtdev.ose.domain.com/
[Wed Jul 24 14:42:33 2013] [error] [client 192.168.1.66] 0, referer: http://virtdev.ose.domain.com/
[Wed Jul 24 14:42:33 2013] [error] [client 192.168.1.66] 0, referer: http://virtdev.ose.domain.com/
[Wed Jul 24 14:42:56 2013] [error] [client 192.168.1.66] 0, referer: http://virtdev.ose.domain.com/mousiki
[Wed Jul 24 14:42:56 2013] [error] [client 192.168.1.66] 0, referer: http://virtdev.ose.domain.com/mousiki
[Wed Jul 24 14:42:56 2013] [error] [client 192.168.1.66] 0, referer: http://virtdev.ose.domain.com/mousiki
[Wed Jul 24 14:42:57 2013] [error] [client 192.168.1.66] 0, referer: http://virtdev.ose.domain.com/mousiki
[Wed Jul 24 14:42:57 2013] [error] [client 192.168.1.66] 0, referer: http://virtdev.ose.domain.com/mousiki
thus I assume it is not server related, but Joomla site related from a plugin/component.
Also, we have scanned the site with online site scanners and plain file search with antivirus tools for bot injections with no positive results.
How we can locate what is causing these zeros as errors?
Finally I found what is/was causing these zero errors.
First of all, to locate what was spawning these errors I did a grep to all sites php files for the php function error_log() (http://php.net/manual/en/function.error-log.php), which writes directly the string argument message without any other information like filename, line numbers etc. At the results I saw there was an error_log(0); at a Joomla plugin that it was enabled. After opening the plugin php file, I figured out that it was my addition in order to debug something and I've had totally forgotten there. So, after deleting the line there was no more zero character errors. I don't even remember what I wanted to achieve by that call, it doesn't make any sense at all. Maybe I wanted to use error_reporting(0) to disable all errors and mistyped.
And to make it clear, these errors were not related and responsible at all for the server crash/hang. I fixed the crashes by creating a new database and restoring the backup file, so, the old database was damaged.
Now, after 24 hours, there was no crashes/hangs and everything works perfect again.
EDIT:
After some further investigation, I have realized that this error_log(0) was not my addition and it was already there when I installed the plugin! The plugin/component is Joooid, an Android client for Joomla (http://www.joooid.com). The code is located at the plg_joooidcontent inside joooidcontent.php:
...
/**
* #since 1.6
*/
public function onContentPrepare($context, &$row, &$params, $page=0)
{
error_log(0);
//echo "<pre>";
$row ->text = $this->executeTokens($row->text);
//print_r($row);
//die();
}
...
Even now it is there with the latest release. I will send them a link to this question so to inform them about it.
My wordpress is behaving strangely, after I changed the php handler to fcgi
[Sat Dec 03 02:13:06 2011] [warn] [client 66.249.72.226] (104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server
[Sat Dec 03 02:13:06 2011] [error] [client 66.249.72.226] Premature end of script headers: index.php
[Sat Dec 03 02:18:11 2011] [warn] [client 94.139.59.97] mod_fcgid: read data timeout in 40 seconds, referer: http://www.domain.com/wp-admin/upload.php
[Sat Dec 03 02:18:11 2011] [error] [client 94.139.59.97] Premature end of script headers: admin.php, referer: http://www.domain.com/wp-admin/upload.php
[Sat Dec 03 02:18:18 2011] [warn] mod_fcgid: process 24965 graceful kill fail, sending SIGKILL
How can i Fix this? I made the php-handler change via cPanel, along with a php upgrade to 5.3.8.
You need to play with your FCGI settings in order to fix this. This usually speaks of the fcgi scripts dying too fast.
Check out http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html for more information. For a start you could use:
FcgidMinProcessesPerClass 0
FcgidMaxProcessesPerClass 8
FcgidMaxProcesses 150
FcgidIdleTimeout 60
FcgidProcessLifeTime 120
FcgidIdleScanInterval 30