Drupal LAMP server crash

Tue Dec 2 19:07:46 MST 2014

Thank you Lisa!

It's Drupal 7 and is up to date.

On 2014-12-02 19:18, Lisa Kachold wrote:
> Keith:  
> 
> These are not due to hackers; although if you are running an older
> version of Drupal or a heavily customized code base, it's a good bet
> you are targeted.  All phishing, most database encroachments tools
> and certainly all rogue security scanners include the option to spoof
> source addresses. Asia is a commonly used spoofed local.  Don't rely
> on locking out one of these scripts, rather than fix your security
> issues or upgrade your CMS.
> 
> The 403 errors are due to CCK module or configuration for caching ( or
> can be caused by a hosting provider using mod_security):
>  https://www.drupal.org/node/110219 [3]

/node/add either does not exist or a guest does not have permission to 
access.  Would not a 403 error be in order?  I'm thinking just by the 
nature of someone trying to access /node/add means they are up to no 
good.

It seems counter intuitive to tone down the mod_security settings.  I 
don't care abut the 403 entries in the logs.  I just want to understand 
what is taking place.

> 
> Your httprl_async_function_callback error is a caching configuration
> issue in Drupal; not in and of itself a hacking attempt:
> https://www.drupal.org/node/2079561 [4]
> 

I have seen https://www.drupal.org/node/2079561, however I think it may 
require a little more attention - thanks!

> On Tue, Dec 2, 2014 at 1:58 PM, Keith Smith
> <techlists at phpcoderusa.com> wrote:
> 
>> Hi,
>> 
>> Last night the LAMP server that serves our Drupal install
>> crashed.  It had too may available processes and ran out of
>> memory.  Reduced the number of available Apache processes and
>> everything settled down.  Early this morning the server crashed
>> again from what looked like a hack attempt. Data center directed the
>> offending IP to NULL?? Problem solved.  Server is behaving.
>> 
>> In looking at the log files I find two things that I need help
>> understanding.  Please understand I am not a Drupal developer - I
>> am just responsible for it....
>> 
>> I'm seeing a bunch of 403 errors for trying to access /node/add -
>> is this a new exploit?  What is this?
>> 
>> Also I am seeing lines that contain the following:
>> 
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> 
>> Any idea what this is?
>> 
>> Thank you so much for your help!!
>> 
>> --
>> Keith Smith
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss [2]
> 
> 
> 
> Links:
> ------
> [1] http://drupal.org/
> [2] http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> [3] https://www.drupal.org/node/110219
> [4] https://www.drupal.org/node/2079561
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

-- 
Keith Smith