All Modules De-Activated

Posted: Sat Jul 26, 2008 8:27 am

Woke up this morning to all modules de-activated on one of my support production servers.

Latest RN and NS

Only thing left in the Main Menu was "Home", everything else was missing. Going into "Administration - Modules" all were de-activated and all of the custom names missing. Modules were still there, just not active. Editing and adding custom names back worked ok, nothing else amiss.

Anybody else see this before? May just be a "fluke" but I don't believe in "flukes" only deliberate flukes. No additional admins added in, no "blocks" registered by NS, etc. Truly a mystery and the red flag is now up.

Cheers, Jay

Posted: Sat Jul 26, 2008 9:28 am

Yes someone reported this behavior a long time before.Maybe you can find his entry.I blieve he thought first his site was hacked or something like that.
Can´t remember but I´m quite sure it had nothing to do with NukeSentinel.

Posted: Sat Jul 26, 2008 9:37 am

I'll have a search at it and see what turns up again, didn't find anything the first time.

Cheers, Jay

Posted: Sat Jul 26, 2008 9:55 am

First of all I need to learn to spell better when searching, found the thread but nothing there really applies.

However, I think I found the culprit. One IP was responsible for hundreds of failed attempts to read my htaccess file.

User IP can no longer access my server.

Cheers, Jay

Posted: Sat Jul 26, 2008 3:29 pm

dad7732 wrote:

However, I think I found the culprit. One IP was responsible for hundreds of failed attempts to read my htaccess file.

User IP can no longer access my server.

Hmm? Could you explain that, it might be interesting for the rest of us Cool

Posted: Sat Jul 26, 2008 3:43 pm

No idea how it actually could affect the modules DB but the 100's of lines one after the other in the server log pertaining to "too many open files .htaccess pcfg_xxxxx" could have caused it. This is a common error in Apache when the server is not configured to handle enough open files. It's akin to a DoS attack. How this may have affected this particular incident I don't know but it did appear in the server log at about the same time as the modules wipe-out.

Cheers

Except for my server info and time, this is the actual entry from the error log for the particular domain affected:

Code:

[client 117.195.224.61] (23)Too many open files in system: /.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

The count on that entry was exactly 512 lines and there is nothing wrong with the htaccess file.

Posted: Sat Jul 26, 2008 4:24 pm

Additional info forgot to add. Can't get into my admin at the moment because of where I am at work - cookies disabled - but I can get into my DB. The IP I listed above sure enough is in the blocked_ip table with a reason of "10" which means that NS actually caught it, but why after 512 lines? No idea at the moment what a reason 10 is but I suspect some sort of "harvest" maybe? Still why this "may" have done the dirty deed escapes me may just be a coincidence who knows.

Cheers

registered · Posted: Mon Jul 28, 2008 5:27 am

dad7732, the reason is that they were able to get that many requests in (yes, a DOS) before your timing was hit on the flood blocker.

And, yes, I believe you are right that we have found that if a site is so busy like this and *nuke is reading the modules directory but cannot complete that reading, it will deactivate everything after it. We have seen this before.

Posted: Mon Jul 28, 2008 5:42 am

Just so long as it's not a hack that gets through, no problem, that's what a backup is for ... Smile

Cheers

Posted: Mon Jul 28, 2008 5:48 am

Unfortunately, DOS type attacks are very difficult to stop with application software. If someone floods you with a real "hack" attempt, that means two attacks are occurring at the same time. No-one can predict just how MySQL is going to behave or PHP or Apache. So, yes, that is what good backups are for... Wink

For true DOS protection, it really takes a concerted effort by the site owner AND the site's host.