LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Help related to Server down issue (https://www.linuxquestions.org/questions/linux-newbie-8/help-related-to-server-down-issue-906884/)

saagar 10-07-2011 03:09 AM
Help related to Server down issue
 
Hi our home server (Amazon Ec2 virtual instance - Debian 6 based ) was down on Oct 5,2011. I could not find out why the server went down. Was not even able to do an ssh into the server. Once I rebooted, everything looked fine.

Could not get anything from logs, except for several entries in /var/log/apache2/access.log and /var/log/apache2/error.log.

I am yet to find out the cause for this. Kindly help.



Code:

218.10.62.48 - - [05/Oct/2011:15:35:23 +0000] "\x80\xebP\xc0\xf98\xc4\xc2\xf9\x89\x98e\xff\xf7K\xe3\xd4\xd6\xdd\x80;%O\xc1l\xbas\x8d\x9f\xfe\v\xae\xfa\xc0\t\xb7\xafR\x03\xc6\x1c\xdd\xba~\xa8\xd2\xefg\xb7R\x8d%#LQ\x7f\xfd\x7f++\xa5_\x95\xaa\xbbp\xd7\xf0\xe8\x84[k\x83\xc6\xd2\xa2\x97\xe8\x8c\xcat\xfbM\x0f\x96\xfeG\xa2\x81\x9b\xca\x8e\xf6]\xce\xb1F%\xa1/)|\x19\xabBkMXSX\"\xc6TnT\xe9\xeb\x1b\x8bm5\xd4z+\xb0I\xdc\xf6m\xfc\xa4\x95\xf7<\xc09\xa6\r\x90ye2?8\x9f\x13\xa0\x8b-+\xf7a~q\x0c.9\xe7\xa3&c\xc6:[\x82\xf9\x13(\x07#\xa0\xeaT_\"\xf2\xf0\xc1\xfc\x1dk\xf3\xfch\xe4\b\x15\x1dn\xb8B\xd1\xfd|,\x7f\xf4\xbd'z\xdfFd3\xa4\x05\xa5\x14E\xa10\xaf\x95\xac\x17\xf83,\x15\xa1c\xd6\xf1\xdf\xd1\x1d_\xc5\xd9\x85@9J#k\xee(\x8f\x02l1\xb1\x9bE\xdc1=\x0f\xdb\xd0/\xbd& \x9d\xf6<{<\x95\x7f\xfaM\xc8\x1d\xb76\xc3\xc6\xb7\xaf\xf6\xe7\xc9\xba\xc3\xf9\xf6QUF\x80\x12l\x9f.\xe1[\xa8\x1do'\x17\xbbo\xb3\xf1\xa4v\xb7[%\xadBm\xe6\x84g\xdc\xd5;\xa2\xd4L\x0es\xf9nM\xa1\x8b\xbbH!v\xb6\xd3\xe7\xd9\xc9\x9e\xb4m\xcbu\xda\xb1\xf9\xc0\x0eN\xfa\xaf\"\xc5<\x14\xbe\xa9a\xdf\xb3\x9b'\xd4\x91\\'x\xb4\xef\x16h]`\xdd7\x91Vv\x9e#p\xcc\xc35\b\xd6\xf30\xb6\xd2\xe3\xd1x\xb7bS\xdd\xd9\x07Mn\xee\xa9NK_\xde\xa0T\xfb\xc2\xc3\xc7\x85wN\xda\xe9}\x11;\xdfa\xb2\x96\xc2\x84\xf3\x1b\v\xbf\b\xf8\xe7UCF3\xe2\x19\xad$\xdbt(RA\x81<\xbe\x11v\x9dq\xa8\xb33,&M6\xe4\xd4.\xcb)\xef\x90\xdbQ\xa8\x88t\x03|\x1bT\xbc\x9c\x0fz\xac\x05\x97\x1e\xac\xc9\xcf\xd7n\x9c\x8dRp:\x9c\x98*\xab\xf2\xf9\xd2\xfan\xd4v\b\xa72\xa3\xb6,\xcf\xbaBl\xe5\v;<\xf7\xd6\xc8I\xc5\x82d\xdd+\x0f\xcf$`\xc9\x114?\x19Z\xf0\xbb\x8f\x9b" 400 525 "-" "-"
59.55.159.142 - - [05/Oct/2011:15:35:34 +0000] "A\xa3k\xc9\x88L\xf3{g\xe3\xae\x0e>\x9b\xef-F\xbf\xa6\xc9\xd1~\xe0/n\xee\xcc\x97\x13rAz\x89\xa0N\xa9M~*\x10$\xaa\xbb\x98\xa6$_\x0e\xf6\x06\xca\xdf$\x84d\x81\x80\xeb/\xc4\xe1y\xdeL~\xff\xb0x\xb4\x9e\",_D\xf7{\x97\xd9\x92S\xa3$<sdCAw4\x14\xf5W\x8b\xb4\xb4*zd!\xae\x82C\xd9`\x06P\xda\x1c)\xebnK\x8e*\xbe\xf1l~\xe8 \x11]v\x9b\x11\xa9E" 400 320 "-" "-"
124.88.10.176 - - [05/Oct/2011:16:52:34 +0000] "\x06\x94\xb8Y\xfb\xfaq\b\xc5\xf1\xfe\x86\xd9\x17l\x80\xdbU(Z\x1f\xb8\x90Y\x91R\xa8\xbe\x920/Y\xc23\t\x1f\xceq\xd9\xc2\xce\x83e\xe6\xc0\x15\xe0\xe0\xc0\x12#d\xf3\xd2\x8f\x02\xbd\xb6\x96~\xf8~\xf0\xc8\xdb\x81@ \x8dc\x86d\xe7\x99k9\xa4?\xe6\xf1\xf7R\xf0\x1e\xe7\xcf8\x19I\x80\xb2\x03" 400 525 "-" "-"
Around that time, the /var/log/apache2/error.log shows the following errors:
Code:
[Wed Oct 05 09:44:57 2011] [error] [client 95.108.128.240] File does not exist: /var/www/robots.txt
[Wed Oct 05 15:35:22 2011] [error] [client 113.58.243.189] Invalid method in request \x8e\x10Z\xc2}\xc6\x1b\x8f\x9amp
[Wed Oct 05 15:35:33 2011] [error] [client 218.10.62.48] request failed: error reading the headers
[Wed Oct 05 15:35:34 2011] [error] [client 59.55.159.142] Invalid URI in request A\xa3k\xc9\x88L\xf3{g\xe3\xae\x0e>\x9b\xef-F\xbf\xa6\xc9\xd1~\xe0/n\xee\xcc\x97\x13rAz\x89\xa0N\xa9M~*\x10$\xaa\xbb\x98\xa6$_\x0e\xf6\x06\xca\xdf$\x84d\x81\x80\xeb/\xc4\xe1y\xdeL~\xff\xb0x\xb4\x9e",_D\xf7{\x97\xd9\x92S\xa3$<sdCAw4\x14\xf5W\x8b\xb4\xb4*zd!\xae\x82C\xd9`\x06P\xda\x1c)\xebnK\x8e*\xbe\xf1l~\xe8 \x11]v\x9b\x11\xa9E
[Wed Oct 05 16:30:31 2011] [notice] caught SIGTERM, shutting down
[Wed Oct 05 16:32:44 2011] [notice] Apache/2.2.16 (Debian) DAV/2 SVN/1.6.12 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze3 with Suhosin-Patch proxy_html/3.0.1 mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) Phusion_Passenger/3.0.7 configured -- resuming normal operations
[Wed Oct 05 16:32:50 2011] [notice] caught SIGTERM, shutting down
[Wed Oct 05 16:37:17 2011] [notice] Apache/2.2.16 (Debian) DAV/2 SVN/1.6.12 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze3 with Suhosin-Patch proxy_html/3.0.1 mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) Phusion_Passenger/3.0.7 configured -- resuming normal operations
[Wed Oct 05 16:37:52 2011] [notice] caught SIGTERM, shutting down
[Wed Oct 05 16:39:59 2011] [notice] Apache/2.2.16 (Debian) DAV/2 SVN/1.6.12 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze3 with Suhosin-Patch proxy_html/3.0.1 mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) Phusion_Passenger/3.0.7 configured -- resuming normal operations
[Wed Oct 05 16:40:14 2011] [notice] caught SIGTERM, shutting down

16pide 10-07-2011 05:00 AM
looks like your server was attacked. although the crash was 55 minutes after the error "Invalid URI in request A\xa3k\xc9\x88L..."
All I can suggest is that you make sure your server is up to date

saagar 10-09-2011 02:48 PM
hi, thanks for the reply. Still I am unable to find a solution for that invalid requests. But, came to know that there were some internal issues with AWS (Amazon) servers on that day. Thanks


All times are GMT -5. The time now is 11:59 PM.