Thank you Lisa!
It's Drupal 7 and is up to date.
On 2014-12-02 19:18, Lisa Kachold wrote:
Keith:
These are not due to hackers; although if you are running an older
version of Drupal or a heavily customized code base, it's a good bet
you are targeted. All phishing, most database encroachments tools
and certainly all rogue security scanners include the option to spoof
source addresses. Asia is a commonly used spoofed local. Don't rely
on locking out one of these scripts, rather than fix your security
issues or upgrade your CMS.
The 403 errors are due to CCK module or configuration for caching ( or
can be caused by a hosting provider using mod_security):
https://www.drupal.org/node/110219 [3]
/node/add either does not exist or a guest does not have permission to
access. Would not a 403 error be in order? I'm thinking just by the
nature of someone trying to access /node/add means they are up to no
good.
It seems counter intuitive to tone down the mod_security settings. I
don't care abut the 403 entries in the logs. I just want to understand
what is taking place.
Your httprl_async_function_callback error is a caching configuration
issue in Drupal; not in and of itself a hacking attempt:
https://www.drupal.org/node/2079561 [4]
I have seen https://www.drupal.org/node/2079561, however I think it may
require a little more attention - thanks!
On Tue, Dec 2, 2014 at 1:58 PM, Keith Smith
<[email protected]> wrote:
Hi,
Last night the LAMP server that serves our Drupal install
crashed. It had too may available processes and ran out of
memory. Reduced the number of available Apache processes and
everything settled down. Early this morning the server crashed
again from what looked like a hack attempt. Data center directed the
offending IP to NULL?? Problem solved. Server is behaving.
In looking at the log files I find two things that I need help
understanding. Please understand I am not a Drupal developer - I
am just responsible for it....
I'm seeing a bunch of 403 errors for trying to access /node/add -
is this a new exploit? What is this?
Also I am seeing lines that contain the following:
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
/httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-"
"Drupal (+http://drupal.org/ [1])"
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
/httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
"Drupal (+http://drupal.org/ [1])"
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
/httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
"Drupal (+http://drupal.org/ [1])"
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
/httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
"Drupal (+http://drupal.org/ [1])"
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
/httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
"Drupal (+http://drupal.org/ [1])"
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
/httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-"
"Drupal (+http://drupal.org/ [1])"
Any idea what this is?
Thank you so much for your help!!
--
Keith Smith
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss [2]
Links:
------
[1] http://drupal.org/
[2] http://lists.phxlinux.org/mailman/listinfo/plug-discuss
[3] https://www.drupal.org/node/110219
[4] https://www.drupal.org/node/2079561
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
--
Keith Smith
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
