Michael Lazin on 18 Jan 2010 20:01:48 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Strange Apache behavior

P.S., if you want to find this hack try this: 

zgrep POST access.log* | grep " 200 " | grep administrator/index.php | awk {'print $1'}|sort -u

It will output a nice list of all of the IPs that have posted to your joomla admin page and you can do whois lookups on the IPs if you like. 

On Mon, Jan 18, 2010 at 10:58 PM, Michael Lazin <microlaser@gmail.com> wrote:
Have you taken a look at your access logs?  How up to date are your Joomla installs?  Have you seen this:

http://developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html
and this
http://www.milw0rm.com/exploits/6234

I still see customer's of ours cracked this way every day.  Joomla hacks are the back door to getting PHP shells and rootkits.  I believe ubuntu 6.06, although a long term support edition, is still a version that you can't get security patches for.  You would be better off security wise running Ubuntu 8.04.  Just my two cents. 

On Mon, Jan 18, 2010 at 10:15 PM, Eric <eric@lucii.org> wrote:
Jonathan:

This server hosts about 6 Joomla instances.  We're not aware of any items that hang but that is a good idea and I'll look into it.  I have not used mod_status I turned it on for my IP address and it's very good!

I'll see if I can get the various conf files.

Thanks,
Eric

Jonathan Schwehm wrote:
Eric,
 
We're running 2.2.x, but will see this behavior every now and then.  We have dynamic websites (running in a tomcat container) and when that hangs, the front-end apache process runs out of available client connections (as users continue to hit our site).  Clients eventually time-out and their browser looks like it's hanging (when it's really just waiting on httpd).
 
Does your friend serve-up any dynamic content or run scripts that may hang and eat-up available client connections?
 
Does he have the status mod enabled? (http://httpd.apache.org/docs/2.0/mod/mod_status.html)
 
His httpd.conf (and any conf files in conf.d) would be helpful.
 
Jonathan

From: Eric <eric@lucii.org>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sent: Mon, January 18, 2010 6:12:34 PM
Subject: [PLUG] Strange Apache behavior

I have a client who has called me for assistance with a strange Apache
web server problem.

Apache has run fine for six or more months but in the last two weeks has
started to fail once or twice a day.  The failure mode is odd... the
server runs normally, logging accesses and errors like everything was
fine but it appears that no pages are actually leaving the server and
going to the client - the client browsers time out.

Simply restarting Apache restores it to normal operation.

Has anyone seen anything like this?
Where do I look for evidence of what's happening?
The Apache logs as well as  /var/log/messages, and /var/log/syslog don't
show any glaring problems.

System:
VPS with 1 GB RAM
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=6.06
DISTRIB_CODENAME=dapper
DISTRIB_DESCRIPTION="Ubuntu 6.06.2 LTS"

apache2ctl -v reports:
Server version: Apache/2.0.55
Server built:  Nov 12 2009 23:17:17

It's a "reasonably" busy site but nothing extraordinary.
He's run apt-get update and apt-get upgrade so it's current.

Any suggestions are appreciated as he's stumped so he turned to me and
I'm stumped too!

Eric

--
#  Eric Lucas
#
#                "Oh, I have slipped the surly bond of earth
#                And danced the skies on laughter-silvered wings...
#                                        -- John Gillespie Magee Jr

___________________________________________________________________________
Philadelphia Linux Users Group        --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --  http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
  

-- 
#  Eric Lucas
#
#                "Oh, I have slipped the surly bond of earth
#                 And danced the skies on laughter-silvered wings...
#                                        -- John Gillespie Magee Jr

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug




--
Michael Lazin

ASCII ribbon campaign ( )
against HTML e-mail    X
                                    / \



--
Michael Lazin

ASCII ribbon campaign ( )
against HTML e-mail    X
                                    / \
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug