Drupal LAMP server crash
Keith Smith
techlists at phpcoderusa.com
Tue Dec 2 19:07:46 MST 2014
Thank you Lisa!
It's Drupal 7 and is up to date.
On 2014-12-02 19:18, Lisa Kachold wrote:
> Keith:
>
> These are not due to hackers; although if you are running an older
> version of Drupal or a heavily customized code base, it's a good bet
> you are targeted. All phishing, most database encroachments tools
> and certainly all rogue security scanners include the option to spoof
> source addresses. Asia is a commonly used spoofed local. Don't rely
> on locking out one of these scripts, rather than fix your security
> issues or upgrade your CMS.
>
> The 403 errors are due to CCK module or configuration for caching ( or
> can be caused by a hosting provider using mod_security):
> https://www.drupal.org/node/110219 [3]
/node/add either does not exist or a guest does not have permission to
access. Would not a 403 error be in order? I'm thinking just by the
nature of someone trying to access /node/add means they are up to no
good.
It seems counter intuitive to tone down the mod_security settings. I
don't care abut the 403 entries in the logs. I just want to understand
what is taking place.
>
> Your httprl_async_function_callback error is a caching configuration
> issue in Drupal; not in and of itself a hacking attempt:
> https://www.drupal.org/node/2079561 [4]
>
I have seen https://www.drupal.org/node/2079561, however I think it may
require a little more attention - thanks!
> On Tue, Dec 2, 2014 at 1:58 PM, Keith Smith
> <techlists at phpcoderusa.com> wrote:
>
>> Hi,
>>
>> Last night the LAMP server that serves our Drupal install
>> crashed. It had too may available processes and ran out of
>> memory. Reduced the number of available Apache processes and
>> everything settled down. Early this morning the server crashed
>> again from what looked like a hack attempt. Data center directed the
>> offending IP to NULL?? Problem solved. Server is behaving.
>>
>> In looking at the log files I find two things that I need help
>> understanding. Please understand I am not a Drupal developer - I
>> am just responsible for it....
>>
>> I'm seeing a bunch of 403 errors for trying to access /node/add -
>> is this a new exploit? What is this?
>>
>> Also I am seeing lines that contain the following:
>>
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-"
>> "Drupal (+http://drupal.org/ [1])"
>> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST
>> /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-"
>> "Drupal (+http://drupal.org/ [1])"
>>
>> Any idea what this is?
>>
>> Thank you so much for your help!!
>>
>> --
>> Keith Smith
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss [2]
>
>
>
> Links:
> ------
> [1] http://drupal.org/
> [2] http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> [3] https://www.drupal.org/node/110219
> [4] https://www.drupal.org/node/2079561
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
--
Keith Smith
More information about the PLUG-discuss
mailing list