Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
Reload this Page VB bringing down a whole dedicated server?
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 03-05-2012, 02:26 AM
nando99 nando99 is offline
 
Join Date: Dec 2005
Location: South Florida
Posts: 218
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default VB bringing down a whole dedicated server?
We run an active VB forum, we're hosted on a hivelocity.com dedicated server... The server has been crashing lately and the deeper we dig into the problem, the more it looks like its the Vbulletin script... now, I don't know if its a bug, a plugin, a messed up server configuration or what...

Here are some error messages I get

Code:
Device Manager has determined that Intel Xeon Sandy Bridge E3-1230 3.2 (9HD3)
has failed test Ping requests on address 199.xxx.xxx.xx.
Packet loss was 100%.
Code:
Mar  3 11:36:00 server kernel: Killed process 14045, UID 507, (php)
total-vm:231396kB, anon-rss:6076kB, file-rss:27836kB
Mar  3 11:36:00 server kernel: [<ffffffff81158b1a>] ?
alloc_pages_vma+0x9a/0x150
Mar  3 11:36:00 server kernel: [<ffffffff8113f08e>] ?
remove_vma+0x6e/0x90
Mar  3 11:38:36 server kernel: [ pid ]  uid  tgid total_vm      rss cpu
oom_adj oom_score_adj name
Mar  3 11:38:36 server kernel: Killed process 15334, UID 507, (php)
total-vm:228120kB, anon-rss:9008kB, file-rss:49472kB
Mar  3 11:38:36 server kernel: [<ffffffff81158b1a>] ?
alloc_pages_vma+0x9a/0x150
Code:
tail /var/log/messages
Mar  4 18:34:57 server suhosin[24138]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value (attacker
'66.249.71.10', file
'/home/yeouschc/public_html/community/includes/class_xml.php', line 37)
Mar  4 18:34:58 server suhosin[24141]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value (attacker
'76.109.252.163', file
'/home/yeouschc/public_html/community/includes/class_xml.php', line 37)
Mar  4 18:34:58 server suhosin[24143]: ALERT - configured request variable name
length limit exceeded - dropped variable
'40515-I-finally-pulled-off-my-silenced-spas-12-MOAB-54-15-rushing-specialist'
(attacker '66.249.71.10', file
'/home/yeouschc/public_html/community/showthread.php')
Mar  4 18:34:58 server suhosin[24143]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value (attacker
'66.249.71.10', file
'/home/yeouschc/public_html/community/includes/class_xml.php', line 37)
Mar  4 18:34:59 server suhosin[24145]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value (attacker
'66.249.71.10', file
'/home/yeouschc/public_html/community/includes/class_xml.php', line 37)
Mar  4 18:35:01 server suhosin[24164]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value (attacker
'98.116.66.199', file
'/home/yeouschc/public_html/community/includes/class_xml.php', line 37)
Mar  4 18:35:01 server suhosin[24166]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value (attacker
'91.95.248.2', file
'/home/yeouschc/public_html/community/includes/class_xml.php', line 37)
Mar  4 18:35:02 server suhosin[24168]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value (attacker
'129.82.65.243', file
'/home/yeouschc/public_html/community/includes/class_xml.php', line 37)
Mar  4 18:35:02 server suhosin[24170]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value (attacker
'71.142.131.78', file
'/home/yeouschc/public_html/community/includes/class_xml.php', line 37)
Mar  4 18:35:02 server suhosin[24172]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value (attacker
'66.75.63.204', file
'/home/yeouschc/public_html/community/includes/class_xml.php', line 37)
[root@server ~]#
Is it my rss feeds? I'm at a total lost... Anyone have any idea? Thanks a million in advance!
Reply With Quote
  #2  
Old 03-05-2012, 03:21 AM
DivisionByZero's Avatar
DivisionByZero DivisionByZero is offline
 
Join Date: Dec 2002
Location: South Bend, Indiana
Posts: 485
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
disable php-suhosin, increase your php memory limit to 256M, and upgrade to the latest PHP.
Reply With Quote
  #3  
Old 03-05-2012, 08:52 AM
setishock setishock is offline
 
Join Date: Feb 2008
Location: Houma, La.
Posts: 1,177
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
The word attacker followed by an IP sure got my attention. I washed a couple of them through some IP lookup sites and got they are from Sweden. Could be as simple as too many connections at one time and the system is crashing. Check your traffic logs.
Reply With Quote
  #4  
Old 03-05-2012, 02:35 PM
nando99 nando99 is offline
 
Join Date: Dec 2005
Location: South Florida
Posts: 218
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
wouldnt disabling php-suhosin decrease the php security?
Reply With Quote
  #5  
Old 03-05-2012, 02:59 PM
whitedd's Avatar
whitedd whitedd is offline
 
Join Date: Jan 2010
Posts: 110
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by nando99 View Post
wouldnt disabling php-suhosin decrease the php security?
no

...use mod-security....
Reply With Quote
  #6  
Old 03-05-2012, 09:05 PM
nando99 nando99 is offline
 
Join Date: Dec 2005
Location: South Florida
Posts: 218
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by whitedd View Post
no

...use mod-security....
do u use any specific modsecurity rules?
Reply With Quote
  #7  
Old 03-05-2012, 10:09 PM
DivisionByZero's Avatar
DivisionByZero DivisionByZero is offline
 
Join Date: Dec 2002
Location: South Bend, Indiana
Posts: 485
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by nando99 View Post
wouldnt disabling php-suhosin decrease the php security?
Not unless you're hosting some real shoddy code. The only way PHP can go rogue is through a script that is parsed by the PHP interpreter.
Reply With Quote
  #8  
Old 03-05-2012, 10:30 PM
nando99 nando99 is offline
 
Join Date: Dec 2005
Location: South Florida
Posts: 218
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
well, i've increased the limit to 256, updated to the latest version of php and disabled php-suhosin... i'm also using mod-security with the default configuration plus this additional code for ddos prevention.. thoughts?

Code:
SecRuleEngine On

SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security.log

# a folder where mod_security will store data variables
SecDataDir logs/mod_security-data

# ignore requests from localhost or some other IP
SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,nolog,allow"

# for all non static urls count requests per second per ip
# (increase var requests by one, expires in 1 second)
SecRule REQUEST_BASENAME "!(\.avi$|\.bmp$|\.css$|\.doc$|\.flv$|\.gif$|\
                            \.htm$|\.html$|\.ico$|\.jpg$|\.js$|\.mp3$|\
                            \.mpeg$|\.pdf$|\.png$|\.pps$|\.ppt$|\.swf$|\
                            \.txt$|\.wmv$|\.xls$|\.xml$|\.zip$)"\
                            "phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.requests=+1,expirevar:ip.requests=1"

# if there where more than 5 requests per second for this IP
# set var block to 1 (expires in 5 seconds) and increase var blocks by one (expires in an hour)
SecRule ip:requests "@eq 5" "phase:1,pass,nolog,setvar:ip.block=1,expirevar:ip.block=5,setvar:ip.blocks=+1,expirevar:ip.blocks=3600"

# if user was blocked more than 5 times (var blocks>5), log and return http 403
SecRule ip:blocks "@ge 5" "phase:1,deny,log,logdata:'req/sec: %{ip.requests}, blocks: %{ip.blocks}',status:403"

# if user is blocked (var block=1), log and return http 403
SecRule ip:block "@eq 1" "phase:1,deny,log,logdata:'req/sec: %{ip.requests}, blocks: %{ip.blocks}',status:403"

# 403 is some static page or message
ErrorDocument 403 "<center><h2>Go away..."
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 02:45 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03824 seconds
  • Memory Usage 2,241KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_code
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete