Drupal LAMP server crash
Keith Smith
techlists at phpcoderusa.com
Tue Dec 2 14:29:37 MST 2014
Thanks!!
Cracker was out of Amsterdam. I'd bet it is a kid looking for bragging
rights.
On 2014-12-02 15:16, Michael Torres wrote:
> I recently had something similar to this happen this past week. I
> would suggest that you do a search on that ip "xxx.xxx
> xxx.xxx" whatever it is and see where it originates from. My guess
> would be somewhere in asia
>
> If so...start locking down your. Security more...
> That's what we are doing.
> On Dec 2, 2014 1:58 PM, "Keith Smith" <techlists at phpcoderusa.com>
> wrote:
>
>> Hi,
>>
>> Last night the LAMP server that serves our Drupal install
>> crashed. It had too may available processes and ran out of
>> memory. Reduced the number of available Apache processes and
>> everything settled down. Early this morning the server crashed
>> again from what looked like a hack attempt. Data center directed the
>> offending IP to NULL?? Problem solved. Server is behaving.
>>
>> In looking at the log files I find two things that I need help
>> understanding. Please understand I am not a Drupal developer - I
>> am just responsible for it....
>>
>> I'm seeing a bunch of 403 errors for trying to access /node/add -
>> is this a new exploit? What is this?
>>
>> Also I am seeing lines that contain the following:
>>
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-"
>> "Drupal (+http://drupal.org/ [1])"
>>
>> Any idea what this is?
>>
>> Thank you so much for your help!!
>>
>> --
>> Keith Smith
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss [2]
>
>
> Links:
> ------
> [1] http://drupal.org/
> [2] http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
--
Keith Smith
More information about the PLUG-discuss
mailing list