Hi all, I noticed that the past 4 hours the processor usage on one of my servers running wheezy up to date and latest ispconfig is spiking to about 60% while usually it stays at 10. The relevant info I could gather: Top: Code: 20886 web2 20 0 96240 18m 12m S 23.8 0.9 0:04.57 php-cgi 20889 web2 20 0 96752 19m 12m S 23.0 1.0 0:05.10 php-cgi ls -l /proc/20886/exe Code: lrwxrwxrwx 1 web2 client3 0 Feb 2 18:26 /proc/20886/exe -> /usr/bin/php5-cgi Some of the Apache access log: Code: 212.92.204.2 - - [02/Feb/2014:15:24:16 +0200] "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F% 64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6 F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%6 6%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 495 "-" "Mozill a/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25" 190.9.33.76 - - [02/Feb/2014:16:39:04 +0200] "POST //%63%67%69%2D%62%69%6E/%70%68%70/%70%68%70%35?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+ %2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%6 9%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%7 0%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+ %61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 500 822 "-" "-" The web2 client3 runs a Joomla website which is also up to date and it's configured in panel to run fast-cgi with suexec enabled
I guess you run a outdated php version. Please see here: http://www.howtoforge.com/forums/showthread.php?t=63786
Hi Till, I'm running php 5.4.4-14 Is there a tutorial to upgrade to the latest version without affecting the ispconfig?
Ok, just seen that you use wheezy. the php version is ok and not vulnerable to that php cgi exploit. Have you checked the access.log of that site, maybe ther is just a lot of traffic. And have you checked the mailqueue, if there is a unusual amount of email in the queue.
mailqueue is empty, but there are indeed a lot of admin login attempts like: Code: website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:28 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:28 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:29 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:29 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:30 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:30 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:31 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:31 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:32 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-" website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:32 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:32 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-" website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:32 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-" website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:32 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:32 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-" website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:33 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:33 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-" website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:33 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-" website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:33 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:33 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-" website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:34 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-" website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:34 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-" website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:34 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-" Majority comes from the same IP address which I will block for now
Ok, this looks like a brute foce attempt to get the admin password of that site. If thats the case, then your server is not hacked. The best you can do it to ban the ip address. There are also tools to do that automatically, do a search for apache mod_evasive module, it might help you to protect the site.
I blocked it from the router for now and the spikes went off. I will try also the apache module. Thanks for your help!
Fail2ban can only help here if the cms is able to write a log file for failed login attempts that includes the IP of the attacker.
blocked by gmail Hello, I was checking the server logs untill I found this: Code: -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- BD88A401CA0 6815 Mon Feb 3 13:42:08 [email protected] (host alt1.gmail-smtp-in.l.google.com[74.125.143.26] said: 421-4.7.0 [149.210.159.9 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. ap10si13631220lac.35 - gsmtp (in reply to end of DATA command)) [email protected] A809C401CDE 17007 Tue Feb 4 19:24:15 [email protected] (host alt1.gmail-smtp-in.l.google.com[173.194.71.26] said: 421-4.7.0 [149.210.159.9 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. oq4si13536098lbb.162 - gsmtp (in reply to end of DATA command)) [email protected] -- 24 Kbytes in 2 Requests. How can I check where those emails come from? I do not want to be marked as a spammer! Any suggestions would be very much appreciated!
Do you provide SMTP service on your server. It appears that someone use your SMTP server to sent spam mail to google. You may also contact Google supports to request them to unblock your IP.
Atomic Mod Security Rule can blocks them within 1 second! Try it for one month free! You will never never regret! https://atomicorp.com/products/modsecurity.html Must have Apache newest modsecurity installed first: http://www.modsecurity.org/
