Has anyone ever seen the below error in a site running on Concrete CMS ?
This is from the apache error log file
[Thu Jan 31 08:06:51 2013] [error] [client 41.56.88.53] File does not
exist: /va
r/www/\r\n SomeCustomInjectedHeader:injected_by_wvs, referer:
http://www.mysite.com:80/ [Thu Jan 31 08:06:51 2013] [error] [client
41.56.88.53] File does not exist: /va r/www/\n SomeCustomInjectedHeader:injected_by_wvs, referer:
http://www.mysite.com
Looks like some kind of injected file. Does anyone have any idea how I can find what is causing those entries in the error logs?
That has nothing to do with concrete5. It's a scan from an external source, looking for some sort of vulnerability.
This could be good (some hosting providers might do it to make sure you're not going to get hacked) or bad (someone looking for a machine to attack). But bad is relative. It's like returning to your car and seeing that someone touched your door handle.... If you watch your logs, you'll see plenty of blind attacks like this.
Related
My Wordpress website was down due to a database connection error.
When I looked into the cPanel error log I saw around a 100 rows that looked like these:
[Tue Apr 02 06:24:11.179218 2019] [cgi:error] [pid 31625] [client
50.3.196.173:41576] AH01215: PHP Warning: Error while sending QUERY packet. PID=31986 in /home/admin/public_html/wp-includes/wp-db.php on
line 1924: /usr/local/cpanel/cgi-sys/ea-php71, referer:
http://www.worldtravelawards.com/profile-4544-the-monte-carlo-beach
[Tue Apr 02 06:24:11.176124 2019] [cgi:error] [pid 31617] [client
196.247.235.184:60968] AH01215: PHP Warning: Error while sending QUERY packet. PID=31998 in
/home/admin/public_html/wp-includes/wp-db.php on line 1924:
/usr/local/cpanel/cgi-sys/ea-php71, referer:
http://www.worldtravelawards.com/profile-3005-walt-disney-world-swan-and-dolphin-resort
The referer is an external domain that somehow is accessing my wp-db.php file, causing a PHP, database-related, error. I did some research and came across subjects like "Bandwidth theft" and "Database injection", but I couldn't really find a good answer to a similar situation.
Any ideas what it could be and how to prevent this from happening? Thanks in advance!
Referer does not mean anything.
A HTTP_REFERER is a header sent by a browser primarily used for analytics that shows where did the user come from. In this example, a user clicked on a link on http://www.worldtravelawards.com/profile-4544-the-monte-carlo-beach webpage that leads to your website. www.worldtravelawards.com is not their actual hostname.
See: [Error while sending QUERY packet
for info about the PHP error.
Post Scriptum: Avoid posting actual IP addresses of your clients or domains of your website because it may lead to hacking attempts.
I am newly using Google compute engine (GCP). I have a limited knowledge on programming yet i am hosting WordPress website in my server.
The problem is few days back my site got hacked or access by someone else. I received a message from GCE customer support that my account will be suspended if I don't stop using server for mining cryptocurrency. Now I have no idea what he was talking. Then I checked the files and can see lots of foreign files. He is apparently using my server to mine crypto, though nothing malicious or disruption of server..
As I have lots of edited and custom files and that I don't have backup files, my best option was to manually check and remove all those foreign files.. I have almost removed all the files but still there are files continously calling from somewhere else function or something that is tracing NOT FOUND error in error.log and access.log.. Looks like using cron jobs or something.. I have no idea where it's coming from.. I am just trying to find that file that is executing those functions.
error.log file:
[Tue Nov 13 15:03:34.595848 2018] [:error] [pid 31561] [client 66.249.66.150:47822] script '/var/www/example.com/tozeowi.php' not found or unable to $
[Tue Nov 13 15:05:56.744506 2018] [core:error] [pid 31587] [client 176.9.23.3:36328] AH00124: Request exceeded the limit of 10 internal redirects due to probable configurat$
Access.log file:
"GET /joapow1ok/tozeowi.php?serhtr=morgan-stanley-health-insurance-benefits'A=0 HTTP/1.1" 404 3621 "https://www.example.com/joapow1ok/tozeowi.php?"
If someone can help me find that file causing to execute that GET function.. Or is there any linux function to find figure out.
Note: I have disabled many plugins and my theme yet no luck.. I have 3 website in the same directory and all got infected.
I have a folder named test_codes inside which are an html file(radioButton2.html) meant to submit to a php file(process_radioButton2.php).
The code runs without any output and there is no error message in the error log in the directory.However, when I, out of frustration, went into the general error log, I saw:
[Fri Jun 26 04:41:58 2015] [error] [client 41.190.3.14] File does not
exist: /home/chuzymat/public_html/404.shtml, referer:
http://www.chuzymatics.com/test_codes/process_radioButton2.php
Please, what could be wrong? Why is the file invisible even when I am sure it's there?
The path to upload directory could be wrong or do not have read/write access. Share your code if you need more exact answers.
I've been having tonnes of issues with Mod Security. I am busy writing a CMS for a project at work and while developing a page to edit a certain database record I kept getting 403 errors. After hours of banging my head against my desk, adjusting bits of code I finally just changed the script to which my form was being posted, to contain a simple echo "test";. Even submitting to this simple page was kicking up a 403 error. I messed about with my form and I eventually found that if I reduced the amount of data I was posting the form submitted fine (In particular I reduce the amount of text within a textarea).
After checking the logs (Yep, this wasn't the first thing I did - sigh) I noticed that I was getting numerous errors from ModSecurity, such as:
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//global": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//ip": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "93"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
I've been messing around, Googling and changing rules for days to no avail. The only thing I seem to be able to do is turn ModSecurity off for this vhost. This is fine by me while I'm developing the CMS, but in production this isn't really something I want to do. Does anyone have any ideas on what is causing this issue and how to sort it? The logs seem to point at some kind rules to do with regular expression limits, but since changing my post receiving script to just print out the word test I'm not doing anything with them (Though I have tried upping the limits through SecPcreMatchLimit and SecPcreMatchLimitRecursion). It seems rather that there's something wrong with the amount of data I am sending through.
I've just resolved a similar issue, with a large post triggering PCRE limit errors in multiple rules. I feel it's wrong for mod-security to then flag the request as malicious just because it blew up!
I raised the two settings you mentioned from the default to 500,000 from the default of 1,500 as advised in this post, and it solved my problem.
The default values for the PCRE Match limit are very, very low with
ModSecurity. You can got to 500K usually without harming your set. But
for your information: The PCRE Match limit is meant to reduce the
chance for a DoS attack via Regular Expressions. So by raising the
limit you raise your vulnerability in this regard, but the PCRE errors
are much worse from a security perspective. I run with 500K in prod
usually:
SecPcreMatchLimit 500000 SecPcreMatchLimitRecursion 500000
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/656
Also see
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecPcreMatchLimit
I had a similar issue with PCRE module a few weeks ago and it was related to backtrack_limits.
I assume SecPcreMatchLimit and SecPcreMatchLimitRecursion are related to mod_security, but did you try upping the values for pcre module in your php.ini file or during PHP execution time?
pcre.backtrack_limit and pcre.recursion_limit
You could also confirm if the issue is related to PCRE limits with the following function preg_last_error()
You can see more here: http://php.net/manual/en/function.preg-last-error.php
and here: http://www.php.net/manual/en/pcre.constants.php
I hope this helps.
[Wed Dec 12 23:23:09 2012] [warn] [client 31.22.4.214] (104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server
[Wed Dec 12 23:23:09 2012] [error] [client 31.22.4.214] Premature end of script headers: index.php
[Wed Dec 12 23:31:20 2012] [error] mod_fcgid: process /home/www-data/php5-fcgi(32763) exit(communication error), get unexpected signal 7
I get these errors every times in my APACHE logs. I am running a forum, and sometimes these errors get so severe, it returns a 500 error.
I am using APC, Debian OS, PHP5CGI, and MYSQL. Here is a list of the modules I am using on APACHE:
Link to image: i.stack.imgur(dot)com/bcrWn(dot)png
Could you please tell me what's wrong? Is this an APC issue?
I was getting the same random errors from three sites that were using APC extensively for both bytecode caching and other data using the W3 Total Cache plugin for Wordpress.
I disabled the APC caching on the sites, and the errors continued. Removing APC from the server, though, fixed it entirely. Since I researched this extensively and found almost no other incidences of "get unexpected signal 7" with PHP under mod_fcgid, I'm pretty confident that yes, your problem was probably caused by an APC issue.
I would imagine that you've already resolved your problem, since this question is over two months old, but hopefully this may help someone else who runs into the same error.
I was also seeing this error on a shared hosting environment using php-fcgi. APC is enabled but only being used on one site which wasn't generating the error.
It turned out the site with the error had exceeded their disk quota, something I discovered by accident when trying to update some files.
Increasing the disk quota for that site immediately resolved the issue.