httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Warren Bell <warrenbe...@gmail.com>
Subject [users@httpd] "not found or unable to stat" crashes our site
Date Tue, 26 Sep 2017 22:25:51 GMT
Our server started to get hit with a particular URL from many different IPs. The URL was for
the file wp-login.php. We are running PHP but we are not running Word Press. This looks like
some sort of brute force attack. We have thousands of error log entries that look like this:

[Mon Sep 25 08:49:02.199784 2017] [:error] [pid 55904] [client 85.101.234.119:62848] script
'/var/www/html/wp-login.php' not found or unable to stat
[Mon Sep 25 08:52:59.426923 2017] [:error] [pid 62559] [client 157.50.13.248:57481] script
'/var/www/html/wp-login.php' not found or unable to stat
[Mon Sep 25 08:59:24.561571 2017] [:error] [pid 73252] [client 42.115.49.147:39332] script
'/var/www/html/wp-login.php' not found or unable to stat
[Mon Sep 25 09:03:36.470029 2017] [:error] [pid 74502] [client 24.14.179.217:34758] script
'/var/www/html/wp-login.php' not found or unable to stat

Eventually we get the following error log entry:

[Tue Sep 26 07:31:04.925077 2017] [mpm_prefork:error] [pid 53301] AH00161: server reached
MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

Then we start getting thousands of these entries:

[Tue Sep 26 07:40:26.028058 2017] [core:notice] [pid 53301] AH00051: child pid 61097 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:40:27.032093 2017] [core:notice] [pid 53301] AH00051: child pid 61118 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:40:28.032829 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory:
AH00159: fork: Unable to fork new process
[Tue Sep 26 07:40:38.034664 2017] [core:notice] [pid 53301] AH00051: child pid 61127 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:40:38.035026 2017] [core:notice] [pid 53301] AH00051: child pid 61116 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:40:38.035068 2017] [core:notice] [pid 53301] AH00051: child pid 61115 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:40:39.499756 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory:
AH00159: fork: Unable to fork new process
[Tue Sep 26 07:40:49.501294 2017] [core:notice] [pid 53301] AH00051: child pid 73499 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:40:49.501632 2017] [core:notice] [pid 53301] AH00051: child pid 73498 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:40:49.501667 2017] [core:notice] [pid 53301] AH00051: child pid 73500 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:40:49.501764 2017] [core:notice] [pid 53301] AH00051: child pid 61188 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:40:49.501797 2017] [core:notice] [pid 53301] AH00051: child pid 61170 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:40:50.509833 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory:
AH00159: fork: Unable to fork new process
[Tue Sep 26 07:41:00.512913 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory:
AH00159: fork: Unable to fork new process
[Tue Sep 26 07:41:10.529013 2017] [core:notice] [pid 53301] AH00051: child pid 61268 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:41:10.535317 2017] [core:notice] [pid 53301] AH00051: child pid 61201 exit
signal Bus error (7), possible coredump in /etc/apache2
[Tue Sep 26 07:41:10.535367 2017] [core:notice] [pid 53301] AH00051: child pid 61204 exit
signal Bus error (7), possible coredump in /etc/apache2

Then we have literally 100 or more apache2 processes running and our swap space maxes out
and the server comes to a crawl and is unresponsive.

I temporarily fixed it by putting a blank wp-login.php page in the root and restarting apache.
But now I can reproduce the same behavior by simply making a request to a bogus URL. I get
a 404 but I also get more apache2 processes running and the same log entries.

I don’t know very much about Apache and it’s configuration. Is there anyone that can help
me with this issue ?

Thanks,

Warren






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message