httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "saikiran.m29@wipro.com" <saikiran....@wipro.com>
Subject [users@httpd] RE: ** Newsletter/Marketing email** [users@httpd] "not found or unable to stat" crashes our site
Date Fri, 10 Nov 2017 06:25:59 GMT
Hi Warren,

Use mod_rewrite conditions for blocking the url from particular URI/extension. And you can
use only prefork as you are hosting php. If you are using prefork MPM you should have large
memory and other resources. Send the prefork MPM values & average requests to your site
to calculate and suggest the best MPM setting.

Best Regards


  Saikiran M









-----Original Message-----
From: Warren Bell [mailto:warrenbell2@gmail.com]
Sent: 27 September, 2017 03:56 AM
To: users@httpd.apache.org
Subject: ** Newsletter/Marketing email** [users@httpd] "not found or unable to stat" crashes
our site

** This mail has been sent from an external source. Treat hyperlinks and attachments in this
email with caution**

Our server started to get hit with a particular URL from many different IPs. The URL was for
the file wp-login.php. We are running PHP but we are not running Word Press. This looks like
some sort of brute force attack. We have thousands of error log entries that look like this:

[Mon Sep 25 08:49:02.199784 2017] [:error] [pid 55904] [client 85.101.234.119:62848] script
'/var/www/html/wp-login.php' not found or unable to stat [Mon Sep 25 08:52:59.426923 2017]
[:error] [pid 62559] [client 157.50.13.248:57481] script '/var/www/html/wp-login.php' not
found or unable to stat [Mon Sep 25 08:59:24.561571 2017] [:error] [pid 73252] [client 42.115.49.147:39332]
script '/var/www/html/wp-login.php' not found or unable to stat [Mon Sep 25 09:03:36.470029
2017] [:error] [pid 74502] [client 24.14.179.217:34758] script '/var/www/html/wp-login.php'
not found or unable to stat

Eventually we get the following error log entry:

[Tue Sep 26 07:31:04.925077 2017] [mpm_prefork:error] [pid 53301] AH00161: server reached
MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

Then we start getting thousands of these entries:

[Tue Sep 26 07:40:26.028058 2017] [core:notice] [pid 53301] AH00051: child pid 61097 exit
signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:27.032093 2017]
[core:notice] [pid 53301] AH00051: child pid 61118 exit signal Bus error (7), possible coredump
in /etc/apache2 [Tue Sep 26 07:40:28.032829 2017] [mpm_prefork:error] [pid 53301] (12)Cannot
allocate memory: AH00159: fork: Unable to fork new process [Tue Sep 26 07:40:38.034664 2017]
[core:notice] [pid 53301] AH00051: child pid 61127 exit signal Bus error (7), possible coredump
in /etc/apache2 [Tue Sep 26 07:40:38.035026 2017] [core:notice] [pid 53301] AH00051: child
pid 61116 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:38.035068
2017] [core:notice] [pid 53301] AH00051: child pid 61115 exit signal Bus error (7), possible
coredump in /etc/apache2 [Tue Sep 26 07:40:39.499756 2017] [mpm_prefork:error] [pid 53301]
(12)Cannot allocate memory: AH00159: fork: Unable to fork new process [Tue Sep 26 07:40:49.501294
2017] [core:notice] [pid 53301] AH00051: child pid 73499 exit signal Bus error (7), possible
coredump in /etc/apache2 [Tue Sep 26 07:40:49.501632 2017] [core:notice] [pid 53301] AH00051:
child pid 73498 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:49.501667
2017] [core:notice] [pid 53301] AH00051: child pid 73500 exit signal Bus error (7), possible
coredump in /etc/apache2 [Tue Sep 26 07:40:49.501764 2017] [core:notice] [pid 53301] AH00051:
child pid 61188 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:49.501797
2017] [core:notice] [pid 53301] AH00051: child pid 61170 exit signal Bus error (7), possible
coredump in /etc/apache2 [Tue Sep 26 07:40:50.509833 2017] [mpm_prefork:error] [pid 53301]
(12)Cannot allocate memory: AH00159: fork: Unable to fork new process [Tue Sep 26 07:41:00.512913
2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory: AH00159: fork: Unable to
fork new process [Tue Sep 26 07:41:10.529013 2017] [core:notice] [pid 53301] AH00051: child
pid 61268 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:41:10.535317
2017] [core:notice] [pid 53301] AH00051: child pid 61201 exit signal Bus error (7), possible
coredump in /etc/apache2 [Tue Sep 26 07:41:10.535367 2017] [core:notice] [pid 53301] AH00051:
child pid 61204 exit signal Bus error (7), possible coredump in /etc/apache2

Then we have literally 100 or more apache2 processes running and our swap space maxes out
and the server comes to a crawl and is unresponsive.

I temporarily fixed it by putting a blank wp-login.php page in the root and restarting apache.
But now I can reproduce the same behavior by simply making a request to a bogus URL. I get
a 404 but I also get more apache2 processes running and the same log entries.

I don’t know very much about Apache and it’s configuration. Is there anyone that can help
me with this issue ?

Thanks,

Warren






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
The information contained in this electronic message and any attachments to this message are
intended for the exclusive use of the addressee(s) and may contain proprietary, confidential
or privileged information. If you are not the intended recipient, you should not disseminate,
distribute or copy this e-mail. Please notify the sender immediately and destroy all copies
of this message and any attachments. WARNING: Computer viruses can be transmitted via email.
The recipient should check this email and any attachments for the presence of viruses. The
company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Mime
View raw message