Hi!
Thanks for your efforts! I investigated a bit further myself, and it
seems the server is currently attacked by hackers, script kiddies or I
don't know what, but I guess either by brute force or by exploiting some
weakness in my system, they manage to DOS the system.
Here's some of the stuff I found in the logs. It all happens on a
Midgard-powered vhost, but I don't know if there is any connection:
91.134.10.202 - - [03/Jul/2007:07:17:44 +0200] "SEARCH
/\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x\
04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H
(and so on for ever, triggered an error "request failed: URI too long
(longer than 8190)")
requests for non-existant pages, like
91.134.10.202 - - [03/Jul/2007:07:17:44 +0200] "POST
_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 302 249 "-" "-"
62.141.39.73 - - [03/Jul/2007:12:47:47 +0200] "GET /board/search.php
HTTP/1.0" 404 5230 "-" "-"
83.71.248.164 - - [03/Jul/2007:14:20:58 +0200] "GET /ADMIN/main.php
HTTP/1.0" 302 234 "-" "-"
85.25.141.150 - - [03/Jul/2007:16:37:16 +0200] "GET
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
They are especially looking for phpmyadmin, but all requests I've seen
simply produce 404 or other errors like:
[Tue Jul 03 14:22:33 2007] [error] [client 83.71.248.164] Invalid URI in
request GET read_dump.phpmain.php HTTP/1.0
[Tue Jul 03 16:37:18 2007] [error] [client 85.25.141.150] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind:)
So, from what I can tell my server is holding up ok for the moment
(except of course for the fact that it's grabbing all system resources
and then becomes unresponsive), and the number of requests I can see in
the log files is not big enough for a real DOS attack. I've also ran
chkrootkit and found nothing suspicious. If anyone has other ideas what
I might try, please let me know!
Bye,
Andreas
Piotr Pokora schrieb:
Hi!
Hi!
15 Minutes later, I couldn't even reach the machine with SSH and had to
do a hard reset. Is there anything I could do to track this problem
down? Like I said, with 1.8.2.2, I never had any problems, but with the
upgrade, it started.
I found memory leak in legacy update calls.
But i doubt it can trigger such huge leak... unless you have *gazilion*
legacy updates during 15 minutes.
I will investigate it further tomorrow.
Piotras
_______________________________________________
user mailing list
[email protected]
http://lists.midgard-project.org/mailman/listinfo/user
begin:vcard
fn:Andreas Flack
n:Flack;Andreas
org:CONTENT CONTROL Berlin GbR
adr;dom:;;Ebertystr. 20;Berlin;Berlin;10249
email;internet:[EMAIL PROTECTED]
tel;work:+49 (0) 177 565 19 13
tel;fax:+49 (0) 30 639 018 64
x-mozilla-html:FALSE
url:http://www.contentcontrol-berlin.de
version:2.1
end:vcard
_______________________________________________
user mailing list
[email protected]
http://lists.midgard-project.org/mailman/listinfo/user
