Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x
Author Message
dad7732
RavenNuke(tm) Development Team


Joined: Mar 18, 2007
Posts: 1242

PostPosted: Sat Jul 26, 2008 8:27 am Reply with quote

Woke up this morning to all modules de-activated on one of my support production servers.

Latest RN and NS

Only thing left in the Main Menu was "Home", everything else was missing. Going into "Administration - Modules" all were de-activated and all of the custom names missing. Modules were still there, just not active. Editing and adding custom names back worked ok, nothing else amiss.

Anybody else see this before? May just be a "fluke" but I don't believe in "flukes" only deliberate flukes. No additional admins added in, no "blocks" registered by NS, etc. Truly a mystery and the red flag is now up.

Cheers, Jay


Last edited by dad7732 on Sat Jul 26, 2008 4:20 pm; edited 1 time in total 
View user's profile Send private message
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Sat Jul 26, 2008 9:28 am Reply with quote

Yes someone reported this behavior a long time before.Maybe you can find his entry.I blieve he thought first his site was hacked or something like that.
Can´t remember but I´m quite sure it had nothing to do with NukeSentinel.
 
View user's profile Send private message
dad7732
PostPosted: Sat Jul 26, 2008 9:37 am Reply with quote

I'll have a search at it and see what turns up again, didn't find anything the first time.

Cheers, Jay
 
dad7732
PostPosted: Sat Jul 26, 2008 9:55 am Reply with quote

First of all I need to learn to spell better when searching, found the thread but nothing there really applies.

However, I think I found the culprit. One IP was responsible for hundreds of failed attempts to read my htaccess file.

User IP can no longer access my server.

Cheers, Jay
 
warren-the-ape
Worker
Worker


Joined: Nov 19, 2007
Posts: 196
Location: Netherlands

PostPosted: Sat Jul 26, 2008 3:29 pm Reply with quote

dad7732 wrote:
However, I think I found the culprit. One IP was responsible for hundreds of failed attempts to read my htaccess file.

User IP can no longer access my server.


Hmm? Could you explain that, it might be interesting for the rest of us Cool
 
View user's profile Send private message
dad7732
PostPosted: Sat Jul 26, 2008 3:43 pm Reply with quote

No idea how it actually could affect the modules DB but the 100's of lines one after the other in the server log pertaining to "too many open files .htaccess pcfg_xxxxx" could have caused it. This is a common error in Apache when the server is not configured to handle enough open files. It's akin to a DoS attack. How this may have affected this particular incident I don't know but it did appear in the server log at about the same time as the modules wipe-out.

Cheers

Except for my server info and time, this is the actual entry from the error log for the particular domain affected:

Code:
[client 117.195.224.61] (23)Too many open files in system: /.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable



The count on that entry was exactly 512 lines and there is nothing wrong with the htaccess file.
 
dad7732
PostPosted: Sat Jul 26, 2008 4:24 pm Reply with quote

Additional info forgot to add. Can't get into my admin at the moment because of where I am at work - cookies disabled - but I can get into my DB. The IP I listed above sure enough is in the blocked_ip table with a reason of "10" which means that NS actually caught it, but why after 512 lines? No idea at the moment what a reason 10 is but I suspect some sort of "harvest" maybe? Still why this "may" have done the dirty deed escapes me may just be a coincidence who knows.

Cheers
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Mon Jul 28, 2008 5:27 am Reply with quote

dad7732, the reason is that they were able to get that many requests in (yes, a DOS) before your timing was hit on the flood blocker.

And, yes, I believe you are right that we have found that if a site is so busy like this and *nuke is reading the modules directory but cannot complete that reading, it will deactivate everything after it. We have seen this before.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
dad7732
PostPosted: Mon Jul 28, 2008 5:42 am Reply with quote

Just so long as it's not a hack that gets through, no problem, that's what a backup is for ... Smile

Cheers
 
montego
PostPosted: Mon Jul 28, 2008 5:48 am Reply with quote

Unfortunately, DOS type attacks are very difficult to stop with application software. If someone floods you with a real "hack" attempt, that means two attacks are occurring at the same time. No-one can predict just how MySQL is going to behave or PHP or Apache. So, yes, that is what good backups are for... Wink For true DOS protection, it really takes a concerted effort by the site owner AND the site's host.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©