Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi Guys , Name is Mike and I'm having a bit issue with my VPS from godaddy . For the past few days my site has been going offline almost every 12 hours and gets back online after a few minutes by itslef . I have check the log files for error and the following is what I'm getting .
By the way my server has 2GB of ram for my usage .
mod_jk.log
Code:
[Wed Aug 01 22:48:29.197 2012] [1849:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
[Wed Aug 01 22:48:29.197 2012] [1849:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
[Wed Aug 01 22:48:30.197 2012] [1845:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
[Wed Aug 01 22:48:30.197 2012] [1845:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
[Wed Aug 01 22:48:33.197 2012] [1836:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
[Wed Aug 01 22:48:33.198 2012] [1836:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
[Wed Aug 01 22:48:35.198 2012] [1852:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
[Wed Aug 01 22:48:35.198 2012] [1852:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
[Wed Aug 01 22:48:41.206 2012] [1860:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
[Wed Aug 01 22:48:41.206 2012] [1860:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
[Wed Aug 01 22:48:45.207 2012] [1857:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
[Wed Aug 01 22:48:45.207 2012] [1857:3079039584] [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (961): Uri * is invalid. Uri must start with /
I got tons of this, Just posted the first few of them ..
[Wed Aug 01 22:48:23 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Aug 01 22:48:23 2012] [warn] No JkLogFile defined in httpd.conf. Using default /etc/httpd/logs/mod_jk.log
[Wed Aug 01 22:48:23 2012] [warn] No JkShmFile defined in httpd.conf. Using default /etc/httpd/logs/jk-runtime-status
[Wed Aug 01 22:48:24 2012] [notice] Digest: generating secret for digest authentication ...
[Wed Aug 01 22:48:24 2012] [notice] Digest: done
[Wed Aug 01 22:48:24 2012] [warn] No JkLogFile defined in httpd.conf. Using default /etc/httpd/logs/mod_jk.log
[Wed Aug 01 22:48:24 2012] [warn] No JkShmFile defined in httpd.conf. Using default /etc/httpd/logs/jk-runtime-status
[Wed Aug 01 22:48:24 2012] [notice] mod_python: Creating 4 session mutexes based on 10 max processes and 0 max threads.
[Wed Aug 01 22:48:24 2012] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
[Wed Aug 01 22:49:46 2012] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Wed Aug 01 22:51:57 2012] [notice] child pid 1888 exit signal Segmentation fault (11)
zend_mm_heap corrupted
[Wed Aug 01 23:00:15 2012] [notice] child pid 1944 exit signal Segmentation fault (11)
[Wed Aug 01 23:12:13 2012] [notice] child pid 3312 exit signal Segmentation fault (11)
zend_mm_heap corrupted
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 29642 0 29642 0 0 83228 0 --:--:-- --:--:-- --:--:-- 578k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 29642 0 29642 0 0 299k 0 --:--:-- --:--:-- --:--:-- 1113k
[Wed Aug 01 23:23:18 2012] [notice] child pid 3449 exit signal Segmentation fault (11)
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 120
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 2
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# ServerLimit: maximum value for MaxClients for the lifetime of the server
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
StartServers 1
MinSpareServers 1
MaxSpareServers 5
ServerLimit 10
MaxClients 10
MaxRequestsPerChild 4000
</IfModule>
# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
StartServers 1
MaxClients 10
MinSpareThreads 1
MaxSpareThreads 4
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
[Wed Aug 01 22:51:57 2012] [notice] child pid 1888 exit signal Segmentation fault (11)
zend_mm_heap corrupted
[Wed Aug 01 23:00:15 2012] [notice] child pid 1944 exit signal Segmentation fault (11)
[Wed Aug 01 23:12:13 2012] [notice] child pid 3312 exit signal Segmentation fault (11)
zend_mm_heap corrupted
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 29642 0 29642 0 0 83228 0 --:--:-- --:--:-- --:--:-- 578k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 29642 0 29642 0 0 299k 0 --:--:-- --:--:-- --:--:-- 1113k
[Wed Aug 01 23:23:18 2012] [notice] child pid 3449 exit signal Segmentation fault (11)
(..) I only run 3 site on it . mostly wordpress and PHPBB3
You have curl output in your error log. This could potentially be an indication of unwanted activity.
Please check your:
- access log for probing and requests that fopen remote files.
- network connections for "odd" connections.
- Wordpress, PHPBB and any 3rd party plugin versions and ensure they are the latest stable version.
- locations the web server can write to and web sites itself for anomalous files or header / footer / .js content.
on one of my site error log I'm getting tons of this
Code:
[Wed Aug 01 23:15:47 2012] [error] [client 220.181.124.179] PHP Warning: Attempt to assign property of non-object in /home/psvitacfw/public_html/wp-content/plugins/transposh-translation-filter-for-wordpress/core/parser.php on line 656
[Wed Aug 01 23:15:47 2012] [error] [client 66.249.72.48] PHP Warning: Attempt to assign property of non-object in /home/psvitacfw/public_html/wp-content/plugins/transposh-translation-filter-for-wordpress/core/parser.php on line 656
[Wed Aug 01 23:15:51 2012] [error] [client 66.249.72.48] PHP Warning: Attempt to assign property of non-object in /home/psvitacfw/public_html/wp-content/plugins/transposh-translation-filter-for-wordpress/core/parser.php on line 656
[Wed Aug 01 23:15:53 2012] [error] [client 66.249.72.48] PHP Warning: Attempt to assign property of non-object in /home/psvitacfw/public_html/wp-content/plugins/transposh-translation-filter-for-wordpress/core/parser.php on line 656
[Wed Aug 01 23:16:02 2012] [error] [client 66.249.72.48] PHP Warning: Attempt to assign property of non-object in /home/psvitacfw/public_html/wp-content/plugins/transposh-translation-filter-for-wordpress/core/parser.php on line 656
Thanks for the logs (but next time please gzip or bzip2 them). If I grep the logs for "Xferd" curl output it is not shown. I don't know what site you displayed the error_log from in your first post but it isn't one of those I downloaded. BTW is there a reason why you only responded to 1 out of 4 questions?
Quote:
Originally Posted by thirty5tech
one things that does come into mind is a Translator known as Transposh plugin that I'm using on both of my site ..
Should it be using Curl or libcurl in the way shown in the first error_log?
Thanks for the reply and sorry I did not answer your question all four of them, as I'm new ..
- access log for probing and requests that fopen remote files.
Code:
Sorry as I do not know which log name this is located in . Can you tell me which log to look for and will get the information .
network connections for "odd" connections.
Code:
Same as above
Wordpress, PHPBB and any 3rd party plugin versions and ensure they are the latest stable version.
Code:
I have double check and all is up to date .
locations the web server can write to and web sites itself for anomalous files or header / footer / .js content.
Code:
The sites I run are psvitacfw and pspcustomfirmware dot com . if this is what you mean . If not can you put a little example and will try to get the information for you ..
- Should it be using Curl or libcurl in the way shown in the first error_log?
Code:
I do not know , I have email the developer of the plugin for that information and is awaiting his response, I will give you the information once I get it ..
Thanks and do hope this answers you question and once again sorry as I'm new to all this ..
Sorry as I do not know which log name this is located in . Can you tell me which log to look for and will get the information.
Your access and error log files.
Quote:
Originally Posted by thirty5tech
network connections for "odd" connections.
Same as above
Run 'netstat -antupe' as root.
Quote:
Originally Posted by thirty5tech
Wordpress, PHPBB and any 3rd party plugin versions and ensure they are the latest stable version.
I have double check and all is up to date .
OK, if you say so.
Quote:
Originally Posted by thirty5tech
can you put a little example and will try to get the information for you ..
I meant /tmp and /var/tmp. If you find any odd items run 'stat' on them as root.
Quote:
Originally Posted by thirty5tech
Should it be using Curl or libcurl in the way shown in the first error_log?
I do not know , I have email the developer of the plugin for that information and is awaiting his response, I will give you the information once I get it ..
Searching trac.transposh.org for "curl" shows it apparently does need Curl...
Run 'netstat -antupe' as root.
I see about 5 to 10 connection of each of this IP's
I notice you are using a web-based management panel. Providing a "good" control panel is one of the unique selling points for hosting companies. Used correctly it does make server management easier. But only if you understand Linux basics and server administration you get the most out of it. Wrt netstat the idea is to scrub your own and the servers IP address and post full output because listing IP addresses alone does not show their context. Note connections are transient and other than those resulting in a request to a daemon like the web server Linux does not record any. Should you wish to see what each remote IP is up to wrt web pages then you can 'grep -r /var/log/http -e [IP address]' to find all references in the current logs or for example 'grep -r /var/log/http -e [IP address].*GET.*[[:blank:]]200[[:blank:]]' to see all succeeding requests or for instance 'grep -r /var/log/http -e [IP address].*GET.*[[:blank:]]40[0-9]\{1\}[[:blank:]]' to see all requests for the remote IP that do not succeed. Also note that with console access you can have access to all sorts of diagnostic tools like Apachetop and MySQLtop. These days, when confronted with large logs, I tend to first run 'petit --hash /var/log/somelogfile' to get an idea of what to expect.
*BTW, should you think you could benefit from more thorough log file inspection then I suggest you run them through Logwatch with the "--detail High --service All --range All --archives --numeric --save /var/log/logwatch.log" switches. Do not hesitate to share /var/log/logwatch.log if any output seems suspicious.
Back to selling points, it matters for hosting companies that Linux is available free of cost. Please realize that the fact it is available free of cost does not mean running Linux is free of responsibilities.
Get acquainted with www.centos.org/docs/ and wiki.centos.org/ and maybe get your self an on-line Linux basics and server administration book.
Quote:
Originally Posted by thirty5tech
- the mod_jk log suggests you run a Tomcat connector. If you don't need mod_jk then disable it and all other modules you don't need now.
If you are talking about modules, This is the only one I could think of unless there are he wrong one
You have not indicated if you need and run Jakarta or not.
Next to MPM your Apache main configuration file lists only built-ins and without knowing /etc/httpd/conf.d/ configuration file details it would be unwise and counter-productive to make suggestions for pruning modules. The Apache web site provides detailed information for each module but IIRC not dependencies. This means you should read up on what a module does, assess if you need it and then test a copy of your web server configuration, preferably on a staging area, before committing changes to your production host. Note that depending on circumstances "staging" may mean copying over a modified /etc/httpd tree and starting Apache on a separate port, another VPS you can use or local virtualization if you run VMWare, QEmu, VirtualBox, XEN or whatever else you choose. Pruning modules may make the web server process relatively lighter to start up, restricts functionality to only what you need (I doubt you need any LDAP-related, WebDAV or proxy modules) and may avoid exposing unnecessary information (Apachetop relies on modules/mod_status.so and modules/mod_info.so IIRC).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.