Server Sending Bad Requests
Jul 25, 2008
my server is still effed up from the MPack attack that I received.
I just received the following email, does anyone know what this means or how it could be done? The client IP is mine, so some how my server is sending that request?
72.233.79.2 (malwarebytes.org) Server Log:
[Thu Jul 24 13:05:07 2008] [error] [client 72.55.184.144] mod_security:
Access denied with code 403. Pattern match ".../" at THE_REQUEST
[id "300006"] [rev "1"] [msg "Bogus Path denied"] [severity "CRITICAL"]
[hostname "www.malwarebytes.org"] [uri
"/errors.php?error=[url][unique_id "tNAGeH8AAAEAAEsfD7wAAAAO"]
[Thu Jul 24 13:05:07 2008] [error] [client 72.55.184.144] mod_security:
Access denied with code 403. Pattern match ".../" at THE_REQUEST
[id "300006"] [rev "1"] [msg "Bogus Path denied"] [severity "CRITICAL"]
[hostname "www.malwarebytes.org"] [uri
"/forums/errors.php?error=[url][unique_id
"tNAPAn8AAAEAAD7mqWQAAAAl"]
[url]is the RKHunter scan log
[url]is the ChkRootKit scan log.
I'm going through this thread right now:
[url]("How-to detect a possible intruder?") and I've come across a handful of hidden directories:
/home/mifbody/public_html/vbulletin/arcade/images/. /. /xh
/home/mifbody/public_html/vbulletin/arcade/images/. /. /xhide.c
/home/mifbody/public_html/vbulletin/arcade/images/. /. /obj/convertxdccfile.o
/home/mifbody/public_html/vbulletin/arcade/images/. /. /obj/iroffer_admin.o
/home/mifbody/public_html/vbulletin/arcade/images/. /. /obj/iroffer_dccchat.o
/home/mifbody/public_html/vbulletin/arcade/images/. /. /obj/iroffer_display.o
/home/mifbody/public_html/vbulletin/arcade/images/. /. /obj/iroffer_main.o
/home/mifbody/public_html/vbulletin/arcade/images/. /. /obj/iroffer_md5.o
/home/mifbody/public_html/vbulletin/arcade/images/. /. /obj/iroffer_misc.o
/home/mifbody/public_html/vbulletin/arcade/images/. /. /obj/iroffer_statefile.o
/home/mifbody/public_html/vbulletin/arcade/images/. /. /obj/iroffer_transfer.o
/home/mifbody/public_html/vbulletin/arcade/images/. /. /obj/iroffer_upload.o
/home/mifbody/public_html/vbulletin/arcade/images/. /. /obj/iroffer_utilities.o
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/convertxdccfile.c
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_admin.c
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_config.h
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_dccchat.c
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_defines.h
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_display.c
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_globals.h
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_headers.h
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_main.c
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_md5.c
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_md5.h
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_misc.c
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_statefile.c
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_transfer.c
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_upload.c
/home/mifbody/public_html/vbulletin/arcade/images/. /. /src/iroffer_utilities.c
I was able to successfully delete all the files, but how do I now get rid of the directories themselves? When I do:
rm -fr "/arcade/images/. /"
and then locate ". "
I still get:
/home/mifbody/public_html/vbulletin/adserver/banners/.
/home/mifbody/public_html/vbulletin/alice/src/admin/.
/home/mifbody/public_html/vbulletin/arcade/images/.
View 2 Replies
ADVERTISEMENT
Mar 28, 2008
I have a Qmail server that is using relays.ordb.org
As you probaly know this shut down two years ago. But is now sending all requests as spam. No one is recieving there emails.
this a Standard Qmail,with a hacked qmail-send witch intergrates with Mysqld.
is not installed with qmailroks, or supervise. Can't find the config text file.
how can we remove traces or referrences to relays ordb.org
View 11 Replies
View Related
Oct 8, 2007
There seems to be some problem with my server, none of the websites hosted on my server are accessible, the http requests either return a blank page or a page with a red quare on the upper left hand corner.
I am not sure if this is some kind of infection or DNS problem or a problem with memory apache is taking up
as i have thousands of virtualhost entries in my access log accumulated over the years out of which only a few 100 websites i am serving presently, but never deleted the non-exitent virtualhost blocks.
At times the websites are opening but most of the times they are not. And when they do not open my http requets are not logged in apacha access log.
Even the customers have reported the same problem.
Also, just four days back i had a strange issue where all
http requests to my server would take me to [url].
I can SSH to server, and everything else is working fine.
View 3 Replies
View Related
Apr 12, 2014
I've spent the last several months working on a huge upgrade of a couple dozen websites. The upgrades include modifying Apache so that visitors who arrive at links pointing to mysite/World/New_York are redirected to mysite/world/new-york. In other words, all my links now default to lower case, and underscores are replaced with dashes.
Unfortunately, publishing it has been an endless series of disasters. My websites are now all crashed, and the server is unbelievably slow. It takes pages forever to load (if they load at all), and I can scarcely publish files online.So the following notice sent to me by my webhost got my attention.
IT appears your own server IP is making GET requests to Apache, causing excessive loading and causing service failures. On today's date, your IP made almost 6,000 connections to Apache:<br><br>
[root@host ~]# grep 64.91.229.106 /usr/local/apache/domlogs/mysite.org | wc -l 5924 [root@host ~]#<br><br>
These were all the same request:<br><br>
64.91.229.106 - - [12/Apr/2014:08:10:10 -0400] "GET /404.php HTTP/1.0" 200 14294 "-" "-"<br><br>
And that made up the total of requests:<br><br>
[root@host ~]# grep 64.91.229.106 /usr/local/apache/domlogs/mysite.org | grep "GET /404.php HTTP/1.0" | wc -l 5924 [root@host ~]#<br><br>
View 1 Replies
View Related
May 8, 2007
I host my DNS with DNSmadeeasy.com , I noticed that I have daily more than 350.000 DNS requests for main domain, This domains got about 80.000 uniqes/day, so this is strange how can there be 350.000 DNS requests/day. Seems that I'll go over the quota because of this.
The TTL for all domains is set to 86400.
Is there a way to discover how its possible ? And also is there a way to do something to make this number lower (DNS requests)
View 1 Replies
View Related
Apr 20, 2008
Where is a server's IP address for outgoing requests set? e.g. if a script on the server fetches ip-address.com, the IP that is identified there. A server may have multiple IPs pointing to it, but there's only one that outgoing requests are funneled through. I've tried changing "Main Shared IP" in WHM, but that doesn't seem to affect this.
Is this set server-side, in some setting file - or is this a datacenter thing?
View 9 Replies
View Related
Jan 19, 2008
I currently have a web VPS hosted with FDCServers.net and after 5 days of switching to it i am getting massive HTTP requests. When i login to WHM and hit apache status i have many requests per second by multiple IP's that are going to pages that simple don't exist. Currently my hostname for the server is set at web-01.optical-hosting.com which is what the requests are being sent to. I am also having a DNS issue because when i put http://web-01.optical-hosting.com in the web browser it displays the first account's site under "list accounts" in cpanel. Can someone please help me fix both of these issue's? i will post an apache log in a second post as it is long. Also, these are from overseas. please someone help me with this i have Aim and Msn.
View 4 Replies
View Related
Jul 24, 2009
When i try to open any website hosted on my server (around 50 of them) i am being taken to following malware website;
[url]
[url]
This is a problem with my Limnux server running Apache and not a virus on my local computer as customers from all over are reporting the same issue.
As soon as i restart Apache eveything returns to normal with no such redirects.
I think my server is being attacked causing http requests to get redirected to some malicious website.
This issue would resurface almost every hour and would not go away till i restart apache.
So far my Datacenter techs. have not been able to identify the cause of this.
View 14 Replies
View Related
Dec 3, 2007
An user is reporting this error receiving emails:
451 - The server has reached its limit for processing requests from your host
I've searched for this error message but haven't found much info
View 3 Replies
View Related
Jun 4, 2009
My Linux Server's Http Daemon (Apache) would stop serving websites ever so often, as soon as apache is restarted the error fixes iteself only to resurface within few hours.
The apache process would still be running i.e. apache does not die but no websites hosted on my server would be accessible from browser. And when this happens the apache logs do not log any http requests.
Instead when this happens all http requests to my server would be redirected to some weird Trojan website and my Norton Antivirus would show an Alert/Warning, for example;
"Browser exploit at www.xxx.xxx was blocked"
Risk Name: MSIE WebViewFolderIcon ActiveX Control BO
or another error like;
"Auto-Protect has detected Trojan.Fakeavalert".
At first i thought the problem could be with my Laptop/ISP so i logged on to the server via SSH and opened try to open a website using command line "lynx mywebsite.com" and it shows following error;
"Alert!: HTTP/1.0 503 Service Unavailable".
Now if i assume my laptop were to be infected, then as soon as i restart my apache and visit mywebsite.com eveything returns to normal with no such warnings. Why do i see those norton error messages only when apache is down with 503, and when apache is down with 503 how come the http requests always get redirected to some suspicious websites and nothing gets logged in apache error log?
I think my server is being attacked causing http to get unresponsive and thereafter http requests to my server are redirected to some malicious website, is this correct?
Also, i suspect this is a php script exploit as some customers have reported that google have blocked their website due to security reasons, i found <iframe> tage inserted in some php pages which i fixed.
Also, another thinh i noticed;
when apache responds with the 503 it is referencing PHP 5.1.4 in the header response:
[root@]# curl -I xxx.xxx.xxx.xxx (my server ip)
HTTP/1.0 503 Service Unavailable
Server: Apache
X-Powered-By: PHP/5.1.4
Retry-After: 20
I am running PHP 4.3.9m why does apache responds with PHP 5.1.4 when this 503 error surfaces?
Also, since my apache was dowan with 503 error a customer mailed in today saying;
"It seems that my site www.xxxx.com is regularly down, and the winlogon virus is involved."
I suspect this is again due to the fact that http requests start getting redirected?
View 3 Replies
View Related
Mar 27, 2013
I'm running Apache 2.4.4 on Windows Server 2008 R2. It's already happened many times that Apache stopped responding to requests. The last entry in the error.log:
[Wed Mar 27 06:22:07.043600 2013] [mpm_winnt:notice] [pid 1736:tid 256] AH00354: Child: Starting 64 worker threads.
[Wed Mar 27 06:52:34.521200 2013] [mpm_winnt:error] [pid 1736:tid 1656] AH00326: Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting
View 1 Replies
View Related
Jan 31, 2008
Yesterday I installed tomcat on a RHEL 4 + cPanel and httpd 2.0.63 server using easyapache3, process was ok, jsp pages are loading fine using http://site.com/example.jsp , but servlets, are not working using http://site.com/example, how ever, if I load http://site.com:8080/example it loads the servlet perfect.
I read something about redirecting all traffict from port 80 to 8080, but you know.. this is a shared server, and that would affect all customers on the server.
So, mod_jk seems to be the only solution, now I read many documents over the web, but no one seems to be working to configure apache2 and mod_jk that is installed using easyapache3 script.
In my httpd.conf file, i have this:
LoadModule jk_module modules/mod_jk.so
Include "/usr/local/apache/conf/jk.conf"
At jk.conf i have this content: ...
View 5 Replies
View Related
Jun 19, 2007
I migrated a client from a Windows server to Linux and everything is fine except that mail sent to this client (say, example1.com) from a particular domain (say, example2.com) simply disappears and does not reach at all. Mail sent to that other domain (example2.com) from my new client (example1.com) is delivered correctly.
Incidentally, that other domain (example2.com) from which the mail is sent is with the hosting provider who was earlier providing services for my newly acquired client. Should I suspect anything? Or, is there a way to figure out what's happening?
I have MailScanner running on my VPS, but it isn't configured to filter at RBL level, only at Exim level, so I don't think this is the issue.
View 1 Replies
View Related
Jan 11, 2009
I currently have a dedicated server, Linux, with 1 website on it that is sending spam.
At first I thought it was someone spoofing my email address, however when I check my servers Email queue I can see the spam emails in there being sent.
My problem is that I have contacted my server provider and support for the scripts I'm running and everyone is saying its the other persons fault. My server provider is saying everything is up to date and it must be a software exploit on one of my scripts, and the support team from my software is saying its not them that its the server.
View 1 Replies
View Related
Apr 2, 2007
got a 2nd notice from my ISP complaining that spams are being sent from my dedicated box. Since the first notice, I had stopped all the mail-related services (sendmail, mailman, courier-imap), which means no emails will be sent out from this box. However, I still received the 2nd notice for spamming.
own dedicated box running CentOS 4.2 with Plesk 8.1. 1 site hosted on it.
concerns are
1. Is my box hacked in and hijacked to send out spam? If yes, how can I check for system integrity?
2. Based on the service status dump, is there something else I need to do in the meantime to stop the box from sending out spam?
3. If there's someone who willing to help out, I'm willing to pay a small amount (~$50, sorry I'm broke!) to fix the server and just kinda help me through the process.
View 3 Replies
View Related
Mar 24, 2009
I am using Shopping Script, There is again constant problem of 'Helpdesk notification' not being send to Admin email.
Sometimes Helpdesk notification emails comes, sometimes not.
In order to start getting Helpdesk notification email, i need to restart my server and it starts working.
It means there is nothing wrong with Shopping script, as it starts working as soon as server is restarted.
I am running on Windows 2003 server, with IIS support.
This is the reply i got from Script support
------------------------------------------------------------
It's not in our compatibility but we can propose a couple of advice to you:
1) You can test the php function mail() which is responsible for this process;
For this you may create a simple script with the following line:
mail($mail_to, $mail_subject, $mail_body, $headers_string)
Of course, you need to past your own real values here. Then you need to launch this script every minute since the server restarted and follow the logs of what is happening there.
2) As we see you are using Microsoft FTP Service. The most probable reason for this is the issue with windows mail function - either the service itself is not reliable or it is just set incorrectly. Our administrator says that the issue with mail sending on this server happens quite often. So you can try to google the problem with the queue of windows mail function, for sure there must be some more advice as to how to resolve this.
It is possible that there is set a restriction on the order of the sending mail so when the queue is full, the mail stops sending.
Anyway that's all that we can advise you on this case because if the notification is sent at all then it means this function is working in our shopping cart and the issue is with something else.
View 1 Replies
View Related
Jun 8, 2009
I have a client who is a media company and is interested in using a dedicated server in order to send their daily e-newsletters by email. The server will only host a script for handling the email distribution and email database.
They need to send approximately 20,000 emails every working day, in blocks of 5,000 emails. Each email includes an attached PDF file of 3Mb (this means less than 2,000Gb of bandwidth every month). They want each block of 5,000 emails to be sent within maximum 2 hours.
Please let me know the suggested configuration for a server to handle this email load.
View 2 Replies
View Related
Feb 13, 2008
i've new server with 2 ips ,
i can't send emails to hotmail
i made spf , domainkey , rDNS
everything is ok , i contacted Hotmail to be part of SenderId program ,and told me 2 days and sending will be ok , i waited for 10 days , till now every new member can't recive ctivation email , what shall i do ??????
My server not open relays ... Not in blacklist ....
View 14 Replies
View Related
Jun 28, 2008
If I am using Google Apps for Domain, how can I send mail from my physical server (like from scripts)?
View 6 Replies
View Related
Jun 21, 2009
Recently I have encountered a problem with Gmail accounts ; I can not send Any messages to gmail from our server by ip address 64.85.165.82 at all.
Kindly refer me the best cure to fix the problem and I declare that any needed item will be available to present.
Some of the messages appearing are listed below.
Our server ip's :
64.85.165.82
64.85.165.83
Message 1MGpDu-0005sl-3a is not frozen
LOG: MAIN
cwd=/usr/local/cpanel/whostmgr/docroot 4 args: /usr/sbin/exim -v -M 1MGpDu-0005sl-3a
delivering 1MGpDu-0005sl-3a
Connecting to gmail-smtp-in.l.google.com [72.14.247.114]:25 ... failed: Connection timed out (timeout=5m) ....
View 14 Replies
View Related
Jul 1, 2009
i have problem in my server from 2 weeks ago server stop sending mail to yahoo and hotmail but to gmail send good without any problem i make SPF and add it for all domains after that mail worked Good in 1 day after that the problem come again
View 14 Replies
View Related
Nov 6, 2008
My datacenter has told me about my server sending high amount of outbound bandwidth from my server:
During the attack time my email logs, I found several messages:
cpdavd failed @ Thu Nov 6 12:21:18 2008. A restart was attempted
automagically.
Question #1. How can I check which user is using cpdavd (connect from their PC to the home folder)
I suspect someone is connecting their PC to my server and uses very high bandwidth!
The datacenter says the attack is still going on when they plug in the server.
Question #2. How can I check what is sending outgoing traffic on the server right now?
View 2 Replies
View Related
Nov 22, 2008
I know how to do this by analysing the headers, but we have a customers who doesn't believe what we are telling them.
Is there some kind of 3rd party service or script that we can point them to? So they can send an email to the service (or paste headers, or whatever) and it tells them who is the sending mail server hostname/ip?
(The problem is that this customer doesn't understand that all email sent from the server uses the same SMTP server hostname/ip. They are convinced that if they connect to "mail.their domain.com" then this is what is reported as the sending mail server/IP.)
View 4 Replies
View Related
Apr 17, 2007
Whenever I send mail, it never gets sent and I get the following error under "View Mail Statistics" in WHM:
1 xxx@aol.com R=fail_remote_domains: unrouteable
mail domain "aol.com"
I have only recently noticed these errors, as my mail was working before.
View 2 Replies
View Related
Aug 11, 2007
I have purchased a server for layeredtech a few months back, and I just reliased that no one is receiving emails of their subscription in the forums, no contact forms are working on website, simply the server is not seding out the emails..
how can I fix it OR where to check whats wrong why its not sending emails?
View 6 Replies
View Related
Jan 4, 2009
As described in the title I need a paid monitoring service which provides sms alerts and tells SoftLayer immediately so they can investigate the issue and make what needed to bring the server online.
I like hyperspin.com service but it looks there is no way to send SoftLayer an automated notification because there is a need to open a ticket.
I can't be attendant at my office 24 hours so I need this service which alerts me with sms about the fail and simultaneously tells my provider so my server will not be down for a long time.
View 14 Replies
View Related
Apr 11, 2009
I have a website with a 70,000 user email subscriber database. we currently send all emails from a dedicated mail server sitting in our office. its very old, unreliable and our emails are constantly going to peoples junk.
i've looked into things like campaign monitor, which looks great, but our custom made email system is already in place and all we really need is a dedicated and safe smtp server to use for the actual sending of the mail.
i've looked at things like SMTP2go which i have used when overseas and works great, but i'm looking for something more designed for sending of mass mailouts, as well as the day-to-day emails sent from the site (signup confirmations, forgotten password reminders, etc)
View 3 Replies
View Related
Jun 11, 2008
We based in Canada. Do we have to pay taxes duties when sending a server out to US for colocation?
View 1 Replies
View Related
Jul 27, 2008
i get a server from limestone networks after two days they send me mail bulk mailDescription: Bulk mail complaints- #1 and charged me $25 for this as a penalty, even i have not even hosted a domain on server or even not send any email from there, how they will charge i dont understand that. i take there server with the hels of this forum.
View 14 Replies
View Related
