RE: ** Newsletter/Marketing email** [users@httpd] "not found or unable to stat" crashes our site

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Warren,

Use mod_rewrite conditions for blocking the url from particular URI/extension. And you can use only prefork as you are hosting php. If you are using prefork MPM you should have large memory and other resources. Send the prefork MPM values & average requests to your site to calculate and suggest the best MPM setting.

Best Regards


  Saikiran M









-----Original Message-----
From: Warren Bell [mailto:warrenbell2@xxxxxxxxx]
Sent: 27 September, 2017 03:56 AM
To: users@xxxxxxxxxxxxxxxx
Subject: ** Newsletter/Marketing email**  "not found or unable to stat" crashes our site

** This mail has been sent from an external source. Treat hyperlinks and attachments in this email with caution**

Our server started to get hit with a particular URL from many different IPs. The URL was for the file wp-login.php. We are running PHP but we are not running Word Press. This looks like some sort of brute force attack. We have thousands of error log entries that look like this:

[Mon Sep 25 08:49:02.199784 2017] [:error] [pid 55904] [client 85.101.234.119:62848] script '/var/www/html/wp-login.php' not found or unable to stat [Mon Sep 25 08:52:59.426923 2017] [:error] [pid 62559] [client 157.50.13.248:57481] script '/var/www/html/wp-login.php' not found or unable to stat [Mon Sep 25 08:59:24.561571 2017] [:error] [pid 73252] [client 42.115.49.147:39332] script '/var/www/html/wp-login.php' not found or unable to stat [Mon Sep 25 09:03:36.470029 2017] [:error] [pid 74502] [client 24.14.179.217:34758] script '/var/www/html/wp-login.php' not found or unable to stat

Eventually we get the following error log entry:

[Tue Sep 26 07:31:04.925077 2017] [mpm_prefork:error] [pid 53301] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

Then we start getting thousands of these entries:

[Tue Sep 26 07:40:26.028058 2017] [core:notice] [pid 53301] AH00051: child pid 61097 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:27.032093 2017] [core:notice] [pid 53301] AH00051: child pid 61118 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:28.032829 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory: AH00159: fork: Unable to fork new process [Tue Sep 26 07:40:38.034664 2017] [core:notice] [pid 53301] AH00051: child pid 61127 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:38.035026 2017] [core:notice] [pid 53301] AH00051: child pid 61116 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:38.035068 2017] [core:notice] [pid 53301] AH00051: child pid 61115 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:39.499756 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory: AH00159: fork: Unable to fork new process [Tue Sep 26 07:40:49.501294 2017] [core:notice] [pid 53301] AH00051: child pid 73499 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:49.501632 2017] [core:notice] [pid 53301] AH00051: child pid 73498 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:49.501667 2017] [core:notice] [pid 53301] AH00051: child pid 73500 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:49.501764 2017] [core:notice] [pid 53301] AH00051: child pid 61188 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:49.501797 2017] [core:notice] [pid 53301] AH00051: child pid 61170 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:50.509833 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory: AH00159: fork: Unable to fork new process [Tue Sep 26 07:41:00.512913 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory: AH00159: fork: Unable to fork new process [Tue Sep 26 07:41:10.529013 2017] [core:noti
ce] [pid 53301] AH00051: child pid 61268 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:41:10.535317 2017] [core:notice] [pid 53301] AH00051: child pid 61201 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:41:10.535367 2017] [core:notice] [pid 53301] AH00051: child pid 61204 exit signal Bus error (7), possible coredump in /etc/apache2

Then we have literally 100 or more apache2 processes running and our swap space maxes out and the server comes to a crawl and is unresponsive.

I temporarily fixed it by putting a blank wp-login.php page in the root and restarting apache. But now I can reproduce the same behavior by simply making a request to a bogus URL. I get a 404 but I also get more apache2 processes running and the same log entries.

I don’t know very much about Apache and it’s configuration. Is there anyone that can help me with this issue ?

Thanks,

Warren






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux