| Author |
Message |
deadl0ck
Hangin' Around
Joined: Apr 09, 2006
Posts: 44
|
 Posted:
Wed Dec 13, 2006 4:31 pm |
|
My hoster has taken my site down ( Only registered users can see links on this board! Get registered or login!).
He recons my site has some exploit against it because the CPU usage went high on the server, and my site got really slow.
This happened before and he though it was some exploit against phpNuke, but all I did was clear sown some spam from the nuke_revirews_comments and I turned off Http Referers in PHPNuke and the site seemed to be faster and he put it back up.
Anyhow that was a few weeks ago.
Got another mail saying that it was happening again today and the site is gone down....
Anyhow - my access logs are full with entries like this:
Code:68.151.8.66 - - [13/Dec/2006:07:13:32 -0800] "GET / HTTP/1.0" 200 - "http://places.globalartforum.com" "-"
60.52.59.153 - - [13/Dec/2006:07:13:32 -0800] "GET / HTTP/1.0" 200 - "http://places.globalartforum.com" "-"
58.69.136.16 - - [13/Dec/2006:07:13:35 -0800] "GET / HTTP/1.0" 200 - "http://photos.freehostgroup.com" "-"
222.252.102.205 - - [13/Dec/2006:07:13:35 -0800] "GET / HTTP/1.0" 200 - "http://places.globalartforum.com" "-"
210.187.192.148 - - [13/Dec/2006:07:13:36 -0800] "GET / HTTP/1.0" 200 - "http://photos.freehostgroup.com" "-"
218.111.132.125 - - [13/Dec/2006:07:13:37 -0800] "GET / HTTP/1.0" 200 - "http://photos.freehostgroup.com" "-"
222.252.37.68 - - [13/Dec/2006:07:13:38 -0800] "GET / HTTP/1.0" 200 - "http://podcast.goldbuyhere.com" "-"
60.50.47.241 - - [13/Dec/2006:07:13:38 -0800] "GET / HTTP/1.0" 200 - "http://podcast.goldbuyhere.com" "-"
|
and
Code:210.213.236.161 - - [12/Dec/2006:00:06:28 -0800] "GET / HTTP/1.0" 403 388 "http:
//places.globalartforum.com" "-"
203.210.199.247 - - [12/Dec/2006:00:06:33 -0800] "GET / HTTP/1.0" 403 388 "http:
//places.globalartforum.com" "-"
63.240.152.11 - - [12/Dec/2006:00:06:36 -0800] "GET /themes/Sunset/images/logo.g
if HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible;)"
66.249.65.211 - - [12/Dec/2006:00:06:39 -0800] "GET /modules.php?name=News&file=
print&sid=316 HTTP/1.1" 200 555 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +ht
tp://www.google.com/bot.html)"
219.93.229.150 - - [12/Dec/2006:00:06:47 -0800] "GET / HTTP/1.0" 403 388 "http:/
/photos.freehostgroup.com" "-"
203.84.184.246 - - [12/Dec/2006:00:06:49 -0800] "GET / HTTP/1.0" 403 388 "http:/
/podcast.goldbuyhere.com" "-"
203.160.1.50 - - [12/Dec/2006:00:07:17 -0800] "GET / HTTP/1.0" 403 288 "http://p
laces.globalartforum.com" "-"
60.50.37.16 - - [12/Dec/2006:00:07:35 -0800] "GET / HTTP/1.0" 403 388 "http://po
dcast.goldbuyhere.com" "-"
203.177.4.48 - - [12/Dec/2006:00:07:41 -0800] "GET / HTTP/1.0" 403 388 "http://p
laces.globalartforum.com" "-"
|
I presume that all the 403 (Forbidden) HTTP repsponses came when he took the site down.....
Here's what my hoster has told me:
| Quote: | The http process is what is using all the CPU.... the problem is that thousands of child processes are launched and it just makes the cpu go off the scale.
.....
The problem is that the http server doesn't get the information served quick enough to free itself up for the next request, so it spawns another process, and so on, etc... slow response from the DB could be causing this like last time, or a DOS attack, but when I checked the server status there didn't seem to be a huge amount of requests for your site. |
Can anybody shed some light as to waht this might be, as it's the 2nd time it's happened.....
Thanks ! |
| |
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Wed Dec 13, 2006 5:52 pm |
|
no this isnt a dos,if it was you would know.
that pulls everything down,taking your site offline as for maintenance will not do...
the account has to be temporary suspended...
that usualy drops the connections...but takes atleast 15 minutes to recover from the blow...
btw posted info doesnt realy help...
but the globalart link is originated from the Czech Republic and the owner is turkish,that means a bad combination...
or you do have something vunerable on your server or your getting bogus requests... |
| |
|
|
|
|
deadl0ck
|
| Posted:
Wed Dec 13, 2006 6:03 pm |
|
What type of info should I look for either from my hoster, or in my logs etc.. ? |
| |
|
|
|
|
hitwalker
|
| Posted:
Wed Dec 13, 2006 6:07 pm |
|
Well if it was an attack your logs (latest visits) will be filled....
But i doubt that...
Let your host help with the traffic stats....
That should show something....
If he's not to lazy he knows where to look...or not..
Would help if you post what your site is about,and what kind of NON standard nuke modules you have installed. |
| |
|
|
|
|
deadl0ck
|
| Posted:
Wed Dec 13, 2006 6:23 pm |
|
The logs got pretty full - they rolled over:
Code:
2944243 Dec 13 07:13 ../logs/access.log
17396570 Dec 13 00:09 ../logs/access.log.1
16826423 Dec 12 00:05 ../logs/access.log.2
17068145 Dec 11 00:04 ../logs/access.log.3
16524937 Dec 10 00:05 ../logs/access.log.4
16526706 Dec 9 00:05 ../logs/access.log.5
14403947 Dec 8 00:05 ../logs/access.log.6
11860449 Dec 7 00:05 ../logs/access.log.7
13276608 Dec 6 00:04 ../logs/access.log.8
13037974 Dec 5 00:04 ../logs/access.log.9
|
Non-standard modules I can think of:
Spam Stopper
Nuke Sentinal (part of raven)
Nuke Treasury
Nuke chat
In case I missed anything, here's my modules directory :
Code:
512 Jan 7 2006 Addon_Sample
512 Apr 10 2006 AutoTheme
512 Apr 9 2006 AvantGo
512 Apr 9 2006 Content
512 Apr 10 2006 Copy of Topics
512 Apr 22 2006 Donations
512 Apr 9 2006 Downloads
512 Apr 9 2006 Encyclopedia
512 Apr 9 2006 FAQ
512 Apr 10 2006 Feedback
1536 Apr 10 2006 Forums
512 Apr 10 2006 Groups
512 Jan 7 2006 Guestbook
1024 Apr 10 2006 Journal
512 Apr 9 2006 Members_List
512 Apr 9 2006 News
512 Jan 7 2006 NukeChat
512 Apr 10 2006 NukeSentinel
512 Apr 3 2006 Nuke_
512 Apr 10 2006 Private_Messages
512 Apr 10 2006 Recommend_Us
512 Apr 9 2006 Reviews
512 Apr 9 2006 Search
512 Jan 7 2006 Sections
512 Dec 4 08:28 Spam_Stopper
512 Apr 9 2006 Statistics
512 Apr 9 2006 Stories_Archive
512 Apr 9 2006 Submit_News
512 Apr 9 2006 Surveys
512 Apr 9 2006 Top
512 Apr 9 2006 Topics
512 May 9 2004 WebMail
512 Apr 9 2006 Web_Links
512 Apr 10 2006 Your_Account
2560 Jan 7 2006 gallery
0 Apr 10 2006 index.html
512 Apr 10 2006 rwsMetAuthors
|
The site links to other sites that have ROM images for MAME (Multiple arcade machine emulator). I have forums also that help people with MAME problems
It's get about 1000+ unique visitors per day:
Are these the traffic stats you want : Only registered users can see links on this board! Get registered or login!
Any suggestions/ideas would be great ! |
| |
|
|
|
|
hitwalker
|
| Posted:
Wed Dec 13, 2006 6:52 pm |
|
well i dont see anything that weird....
only thing that can cause it somehow is the chat or the gallery...
as you dont know these 2 mods can be abused,specialy when people hotlink...
just put the site back online and let your host keep an eye on things,including the traffic ......prefered per module... |
| |
|
|
|
|
manunkind
Client
Joined: Apr 26, 2004
Posts: 368
Location: Albuquerque, NM
|
| Posted:
Wed Dec 13, 2006 8:39 pm |
|
What module is Nuke_? |
_________________
Only registered users can see links on this board! Get registered or login! |
|
|
|
deadl0ck
|
| Posted:
Thu Dec 14, 2006 3:06 am |
|
Don't know what "Nuke_" is.
Here's a listing of it:
Code:
512 Apr 3 2006 blocks
512 Apr 3 2006 images
512 Apr 3 2006 menu
1449 Apr 3 2006 menuvar.php
512 Apr 3 2006 modules
512 Apr 3 2006 style
512 Apr 3 2006 table
47993 Apr 3 2006 theme.php
1016 Apr 3 2006 themevar.php
|
Looks like it's a pratial backup of the standard root dir, but I'm not sure....
The chat and gallery are irrelevant to the site really - how would I remove these modules ?
Is it just a matter of removing their corresponding modules dirs ? |
| |
|
|
|
|
deadl0ck
|
| Posted:
Thu Dec 14, 2006 5:12 am |
|
Are there any other log file that would help ?
I have access to the access.log and error.log... |
| |
|
|
|
|
hitwalker
|
| Posted:
Thu Dec 14, 2006 6:41 am |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Thu Dec 14, 2006 7:09 am |
|
deadl0ck, I just removed the user and group information out of your listings above! NO-ONE has any business knowing what these are and you need to be careful posting that kind of info out in public...  |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
deadl0ck
|
| Posted:
Fri Dec 15, 2006 4:32 am |
|
| Quote: | | deadl0ck, I just removed the user and group information out of your listings above! NO-ONE has any business knowing what these are and you need to be careful posting that kind of info out in public... Wink |
Sorry and thanks !!
| Quote: | | Your site still offline? |
I've just checked and it's back up now. I was at a wedding all day yesterday so I didn't get a chnace to check anything (I wasn't in any state to check anything)
Anyhoo, hy hoster has put it back up now : Only registered users can see links on this board! Get registered or login!
Can anyone tell me how to removed a module - do I just delete the module directory? |
| |
|
|
|
|
montego
|
| Posted:
Sat Dec 16, 2006 7:32 am |
|
| Quote: |
Can anyone tell me how to removed a module - do I just delete the module directory?
|
Yes, remove it from the module directory and you may also want to go to the Admin --> modules just to make sure you no longer see it there. However, you also have to consider what tables may still be left behind and/or if the module install involved any other "hacks" to core nuke tables and/or scripts, the removal is quite a bit more complex. |
| |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Sat Dec 16, 2006 8:15 am |
|
I presume you have these added to Spam Stoppers blacklist?
| Quote: | places.globalartforum.com
photos.freehostgroup.com
podcast.goldbuyhere.com |
I see you have the very old Webmail module installed, you should get rid of that immediately and you might want to consider getting rid of the chat module.
If you need help, please PM me your stuff - admin log-in, ftp log-in and a log-in so I can access your database (cpanel log in is fine). |
| |
|
|
|
deadl0ck
|
| Posted:
Sun Dec 17, 2006 11:44 am |
|
Hi guys,
Thanks for all the advice.
I'm gonna remove the chat module and gallery module
Is it possibel for me to block the referrer in the .htaccess, or should I just do it through SpamStopper ? |
| |
|
|
|
|
Guardian2003
|
| Posted:
Sun Dec 17, 2006 12:08 pm |
|
Blocking them in htaccess is more efficient |
| |
|
|
|
|
deadl0ck
|
| Posted:
Sun Dec 17, 2006 1:12 pm |
|
How do I block a refferer in the .htaccess ?
Is it similar to the "libperl" block for the User Agent ? |
| |
|
|
|
|
deadl0ck
|
| Posted:
Sun Dec 17, 2006 1:13 pm |
|
By the way Guardian2003, PM Sent |
| |
|
|
|
|
montego
|
| Posted:
Mon Dec 18, 2006 5:58 am |
|
Simary to USER AGENT, the following can be used for REFERRER:
RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?.*(-|.)blackjack(-|.).*$ [NC,OR]
This is just one line in a very large list. At the bottom of this list is this:
RewriteRule ^(.*) %{HTTP_REFERER} [R=301,L]
Guardian will have more examples I am sure. |
| |
|
|
|
|
deadl0ck
|
| Posted:
Mon Dec 18, 2006 6:03 am |
|
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
