Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v1.x Distro
Author Message
deadl0ck
Hangin' Around


Joined: Apr 09, 2006
Posts: 44

PostPosted: Wed Dec 13, 2006 4:31 pm Reply with quote

My hoster has taken my site down ( Only registered users can see links on this board! Get registered or login!).
He recons my site has some exploit against it because the CPU usage went high on the server, and my site got really slow.

This happened before and he though it was some exploit against phpNuke, but all I did was clear sown some spam from the nuke_revirews_comments and I turned off Http Referers in PHPNuke and the site seemed to be faster and he put it back up.
Anyhow that was a few weeks ago.

Got another mail saying that it was happening again today and the site is gone down....


Anyhow - my access logs are full with entries like this:

Code:
68.151.8.66 - - [13/Dec/2006:07:13:32 -0800] "GET / HTTP/1.0" 200 - "http://places.globalartforum.com" "-"

60.52.59.153 - - [13/Dec/2006:07:13:32 -0800] "GET / HTTP/1.0" 200 - "http://places.globalartforum.com" "-"
58.69.136.16 - - [13/Dec/2006:07:13:35 -0800] "GET / HTTP/1.0" 200 - "http://photos.freehostgroup.com" "-"
222.252.102.205 - - [13/Dec/2006:07:13:35 -0800] "GET / HTTP/1.0" 200 - "http://places.globalartforum.com" "-"
210.187.192.148 - - [13/Dec/2006:07:13:36 -0800] "GET / HTTP/1.0" 200 - "http://photos.freehostgroup.com" "-"
218.111.132.125 - - [13/Dec/2006:07:13:37 -0800] "GET / HTTP/1.0" 200 - "http://photos.freehostgroup.com" "-"
222.252.37.68 - - [13/Dec/2006:07:13:38 -0800] "GET / HTTP/1.0" 200 - "http://podcast.goldbuyhere.com" "-"
60.50.47.241 - - [13/Dec/2006:07:13:38 -0800] "GET / HTTP/1.0" 200 - "http://podcast.goldbuyhere.com" "-"



and


Code:
210.213.236.161 - - [12/Dec/2006:00:06:28 -0800] "GET / HTTP/1.0" 403 388 "http:

//places.globalartforum.com" "-"
203.210.199.247 - - [12/Dec/2006:00:06:33 -0800] "GET / HTTP/1.0" 403 388 "http:
//places.globalartforum.com" "-"
63.240.152.11 - - [12/Dec/2006:00:06:36 -0800] "GET /themes/Sunset/images/logo.g
if HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible;)"
66.249.65.211 - - [12/Dec/2006:00:06:39 -0800] "GET /modules.php?name=News&file=
print&sid=316 HTTP/1.1" 200 555 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +ht
tp://www.google.com/bot.html)"
219.93.229.150 - - [12/Dec/2006:00:06:47 -0800] "GET / HTTP/1.0" 403 388 "http:/
/photos.freehostgroup.com" "-"
203.84.184.246 - - [12/Dec/2006:00:06:49 -0800] "GET / HTTP/1.0" 403 388 "http:/
/podcast.goldbuyhere.com" "-"
203.160.1.50 - - [12/Dec/2006:00:07:17 -0800] "GET / HTTP/1.0" 403 288 "http://p
laces.globalartforum.com" "-"
60.50.37.16 - - [12/Dec/2006:00:07:35 -0800] "GET / HTTP/1.0" 403 388 "http://po
dcast.goldbuyhere.com" "-"
203.177.4.48 - - [12/Dec/2006:00:07:41 -0800] "GET / HTTP/1.0" 403 388 "http://p
laces.globalartforum.com" "-"


I presume that all the 403 (Forbidden) HTTP repsponses came when he took the site down.....


Here's what my hoster has told me:
Quote:
The http process is what is using all the CPU.... the problem is that thousands of child processes are launched and it just makes the cpu go off the scale.
.....
The problem is that the http server doesn't get the information served quick enough to free itself up for the next request, so it spawns another process, and so on, etc... slow response from the DB could be causing this like last time, or a DOS attack, but when I checked the server status there didn't seem to be a huge amount of requests for your site.


Can anybody shed some light as to waht this might be, as it's the 2nd time it's happened.....


Thanks !
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Wed Dec 13, 2006 5:52 pm Reply with quote

no this isnt a dos,if it was you would know.
that pulls everything down,taking your site offline as for maintenance will not do...
the account has to be temporary suspended...
that usualy drops the connections...but takes atleast 15 minutes to recover from the blow...

btw posted info doesnt realy help...
but the globalart link is originated from the Czech Republic and the owner is turkish,that means a bad combination...
or you do have something vunerable on your server or your getting bogus requests...
 
View user's profile Send private message
deadl0ck
PostPosted: Wed Dec 13, 2006 6:03 pm Reply with quote

What type of info should I look for either from my hoster, or in my logs etc.. ?
 
hitwalker
PostPosted: Wed Dec 13, 2006 6:07 pm Reply with quote

Well if it was an attack your logs (latest visits) will be filled....
But i doubt that...
Let your host help with the traffic stats....
That should show something....
If he's not to lazy he knows where to look...or not..

Would help if you post what your site is about,and what kind of NON standard nuke modules you have installed.
 
deadl0ck
PostPosted: Wed Dec 13, 2006 6:23 pm Reply with quote

The logs got pretty full - they rolled over:

Code:


 2944243 Dec 13 07:13 ../logs/access.log
17396570 Dec 13 00:09 ../logs/access.log.1
16826423 Dec 12 00:05 ../logs/access.log.2
17068145 Dec 11 00:04 ../logs/access.log.3
16524937 Dec 10 00:05 ../logs/access.log.4
16526706 Dec  9 00:05 ../logs/access.log.5
14403947 Dec  8 00:05 ../logs/access.log.6
11860449 Dec  7 00:05 ../logs/access.log.7
13276608 Dec  6 00:04 ../logs/access.log.8
13037974 Dec  5 00:04 ../logs/access.log.9


Non-standard modules I can think of:
Spam Stopper
Nuke Sentinal (part of raven)
Nuke Treasury
Nuke chat

In case I missed anything, here's my modules directory :

Code:


 512 Jan  7  2006 Addon_Sample
 512 Apr 10  2006 AutoTheme
 512 Apr  9  2006 AvantGo
 512 Apr  9  2006 Content
 512 Apr 10  2006 Copy of Topics
 512 Apr 22  2006 Donations
 512 Apr  9  2006 Downloads
 512 Apr  9  2006 Encyclopedia
 512 Apr  9  2006 FAQ
 512 Apr 10  2006 Feedback
1536 Apr 10  2006 Forums
 512 Apr 10  2006 Groups
 512 Jan  7  2006 Guestbook
1024 Apr 10  2006 Journal
 512 Apr  9  2006 Members_List
 512 Apr  9  2006 News
 512 Jan  7  2006 NukeChat
 512 Apr 10  2006 NukeSentinel
 512 Apr  3  2006 Nuke_
 512 Apr 10  2006 Private_Messages
 512 Apr 10  2006 Recommend_Us
 512 Apr  9  2006 Reviews
 512 Apr  9  2006 Search
 512 Jan  7  2006 Sections
 512 Dec  4 08:28 Spam_Stopper
 512 Apr  9  2006 Statistics
 512 Apr  9  2006 Stories_Archive
 512 Apr  9  2006 Submit_News
 512 Apr  9  2006 Surveys
 512 Apr  9  2006 Top
 512 Apr  9  2006 Topics
 512 May  9  2004 WebMail
 512 Apr  9  2006 Web_Links
 512 Apr 10  2006 Your_Account
2560 Jan  7  2006 gallery
   0 Apr 10  2006 index.html
 512 Apr 10  2006 rwsMetAuthors


The site links to other sites that have ROM images for MAME (Multiple arcade machine emulator). I have forums also that help people with MAME problems

It's get about 1000+ unique visitors per day:

Are these the traffic stats you want : Only registered users can see links on this board! Get registered or login!

Any suggestions/ideas would be great !
 
hitwalker
PostPosted: Wed Dec 13, 2006 6:52 pm Reply with quote

well i dont see anything that weird....
only thing that can cause it somehow is the chat or the gallery...
as you dont know these 2 mods can be abused,specialy when people hotlink...
just put the site back online and let your host keep an eye on things,including the traffic ......prefered per module...
 
manunkind
Client


Joined: Apr 26, 2004
Posts: 368
Location: Albuquerque, NM

PostPosted: Wed Dec 13, 2006 8:39 pm Reply with quote

What module is Nuke_?

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
deadl0ck
PostPosted: Thu Dec 14, 2006 3:06 am Reply with quote

Don't know what "Nuke_" is.
Here's a listing of it:

Code:


  512 Apr  3  2006 blocks
  512 Apr  3  2006 images
  512 Apr  3  2006 menu
 1449 Apr  3  2006 menuvar.php
  512 Apr  3  2006 modules
  512 Apr  3  2006 style
  512 Apr  3  2006 table
47993 Apr  3  2006 theme.php
 1016 Apr  3  2006 themevar.php

Looks like it's a pratial backup of the standard root dir, but I'm not sure....

The chat and gallery are irrelevant to the site really - how would I remove these modules ?

Is it just a matter of removing their corresponding modules dirs ?
 
deadl0ck
PostPosted: Thu Dec 14, 2006 5:12 am Reply with quote

Are there any other log file that would help ?
I have access to the access.log and error.log...
 
hitwalker
PostPosted: Thu Dec 14, 2006 6:41 am Reply with quote

Your site still offline?
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Thu Dec 14, 2006 7:09 am Reply with quote

deadl0ck, I just removed the user and group information out of your listings above! NO-ONE has any business knowing what these are and you need to be careful posting that kind of info out in public... Wink

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
deadl0ck
PostPosted: Fri Dec 15, 2006 4:32 am Reply with quote

Quote:
deadl0ck, I just removed the user and group information out of your listings above! NO-ONE has any business knowing what these are and you need to be careful posting that kind of info out in public... Wink

Sorry and thanks !!

Quote:
Your site still offline?

I've just checked and it's back up now. I was at a wedding all day yesterday so I didn't get a chnace to check anything (I wasn't in any state to check anything)

Anyhoo, hy hoster has put it back up now : Only registered users can see links on this board! Get registered or login!

Can anyone tell me how to removed a module - do I just delete the module directory?
 
montego
PostPosted: Sat Dec 16, 2006 7:32 am Reply with quote

Quote:

Can anyone tell me how to removed a module - do I just delete the module directory?


Yes, remove it from the module directory and you may also want to go to the Admin --> modules just to make sure you no longer see it there. However, you also have to consider what tables may still be left behind and/or if the module install involved any other "hacks" to core nuke tables and/or scripts, the removal is quite a bit more complex.
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Sat Dec 16, 2006 8:15 am Reply with quote

I presume you have these added to Spam Stoppers blacklist?
Quote:
places.globalartforum.com
photos.freehostgroup.com
podcast.goldbuyhere.com


I see you have the very old Webmail module installed, you should get rid of that immediately and you might want to consider getting rid of the chat module.

If you need help, please PM me your stuff - admin log-in, ftp log-in and a log-in so I can access your database (cpanel log in is fine).
 
View user's profile Send private message Send e-mail
deadl0ck
PostPosted: Sun Dec 17, 2006 11:44 am Reply with quote

Hi guys,
Thanks for all the advice.
I'm gonna remove the chat module and gallery module

Is it possibel for me to block the referrer in the .htaccess, or should I just do it through SpamStopper ?
 
Guardian2003
PostPosted: Sun Dec 17, 2006 12:08 pm Reply with quote

Blocking them in htaccess is more efficient
 
deadl0ck
PostPosted: Sun Dec 17, 2006 1:12 pm Reply with quote

How do I block a refferer in the .htaccess ?

Is it similar to the "libperl" block for the User Agent ?
 
deadl0ck
PostPosted: Sun Dec 17, 2006 1:13 pm Reply with quote

By the way Guardian2003, PM Sent
 
montego
PostPosted: Mon Dec 18, 2006 5:58 am Reply with quote

Simary to USER AGENT, the following can be used for REFERRER:

RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?.*(-|.)blackjack(-|.).*$ [NC,OR]


This is just one line in a very large list. At the bottom of this list is this:

RewriteRule ^(.*) %{HTTP_REFERER} [R=301,L]

Guardian will have more examples I am sure.
 
deadl0ck
PostPosted: Mon Dec 18, 2006 6:03 am Reply with quote

Thanks montego
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v1.x Distro

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©