Drupal LAMP server crash

Keith Smith techlists at phpcoderusa.com
Tue Dec 2 14:29:37 MST 2014


Thanks!!

Cracker was out of Amsterdam.  I'd bet it is a kid looking for bragging 
rights.


On 2014-12-02 15:16, Michael Torres wrote:
> I recently had something similar to this happen this past week.  I
> would suggest that you do a search on that ip "xxx.xxx
>  xxx.xxx" whatever it is and see where it originates from.  My guess
> would be somewhere in asia
> 
> If so...start locking down your. Security more...
>  That's what we are doing.
> On Dec 2, 2014 1:58 PM, "Keith Smith" <techlists at phpcoderusa.com>
> wrote:
> 
>> Hi,
>> 
>> Last night the LAMP server that serves our Drupal install
>> crashed.  It had too may available processes and ran out of
>> memory.  Reduced the number of available Apache processes and
>> everything settled down.  Early this morning the server crashed
>> again from what looked like a hack attempt. Data center directed the
>> offending IP to NULL?? Problem solved.  Server is behaving.
>> 
>> In looking at the log files I find two things that I need help
>> understanding.  Please understand I am not a Drupal developer - I
>> am just responsible for it....
>> 
>> I'm seeing a bunch of 403 errors for trying to access /node/add -
>> is this a new exploit?  What is this?
>> 
>> Also I am seeing lines that contain the following:
>> 
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> 
>> Any idea what this is?
>> 
>> Thank you so much for your help!!
>> 
>> --
>> Keith Smith
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss [2]
> 
> 
> Links:
> ------
> [1] http://drupal.org/
> [2] http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

-- 
Keith Smith


More information about the PLUG-discuss mailing list