Server up and down.

Moderators: Bookworm, starkruzr, MrFireDragon, PrettyPrincess, Wapsi

Post Reply
User avatar
Bookworm
Posts: 615
Joined: Sun Jul 29, 2012 11:59 pm
Location: Houston, TX
Contact:

Server up and down.

Post by Bookworm »

I've been trying to delay doing some upgrades, but there's a plugin (or an assault on the site) that's locking the server up repeatedly.

Right now, I have wordpress moved aside with just a basic text/html page. I have a new processor and motherboard ready to go in, but that's only a short term fix. To fix it long term, I need to figure out what plugin is being attacked, or otherwise why the server is spawning off 150+ php-cgi processes within 60 seconds of the system coming online - all to Wapsi Square.

BW
I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.
User avatar
AnotherFairportfan
Posts: 6402
Joined: Thu May 01, 2014 2:53 pm

Re: Server up and down.

Post by AnotherFairportfan »

Ewww.

Of course, last night, my net connection crashed, too ... right in the middle of the last stage of e-filing our taxes. (The data was all in and saved online, but when it came back a couple of hours later, i had to re-do the e-file.)
Proof Positive the world is not flat: If it were, cats would have pushed everything off the edge by now.
User avatar
DilyV
Posts: 1768
Joined: Tue Jan 15, 2013 9:03 pm

Re: Server up and down.

Post by DilyV »

Seems like something is happening across the board... the internet seems to crawl for me anymore and I've got 10gb internet... All the sudden my main computer is suffering all kinds of crap too.
You know that light at the end of the tunnel?

Yeah... it's a bullet. Sorry.
User avatar
Dave
Posts: 7584
Joined: Tue Jul 31, 2012 5:58 pm
Location: Mountain View, CA, USA

Re: Server up and down.

Post by Dave »

Bookworm, if what I read in one of the anti-spam forums is correct, it's not just you. The Bad Guys are out scanning around looking for exploitable WordPress sites again.

EDIT: the RevSlider plugin has been a target recently ("Slider Revolution"). Apparently comes bundled with many UI themes, with auto-updates disabled. Versions prior to 4.1.4 were at risk.

There may well be some new (even "zero-day") explioits in WordPress plugins being used :(
User avatar
Bookworm
Posts: 615
Joined: Sun Jul 29, 2012 11:59 pm
Location: Houston, TX
Contact:

Re: Server up and down.

Post by Bookworm »

Well, I did a manual upgrade to the wp-super-cache plugin, but I wasn't willing to spend another two hours breaking back into the server if it didn't work. (I have the flu)

I'm going to change the board out - from a dual core to a quad core, with double the ram. That should absorb the impact better and let me figure out what's going nuts.

151 apache processes, of which they want between .7 and 1.7 percent CPU does some damage.
I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.
JamesM
Posts: 1
Joined: Fri Jan 30, 2015 9:44 am

Re: Server up and down.

Post by JamesM »

The page directing traffic to the forums has the URL misspelled.

Currently the redirect page has: http://forum.wapsisqare.com

Should be http://forum.wapsisquare.com
User avatar
Bookworm
Posts: 615
Joined: Sun Jul 29, 2012 11:59 pm
Location: Houston, TX
Contact:

Re: Server up and down.

Post by Bookworm »

Fixed. Would you believe I had to retype that three times to get it to that level of incorrect? Being ready to collapse from the flu isn't condusive to accurate spelling.
I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.
User avatar
Dave
Posts: 7584
Joined: Tue Jul 31, 2012 5:58 pm
Location: Mountain View, CA, USA

Re: Server up and down.

Post by Dave »

Ugh... sorry to hear that it's not just the server/board that is under the weather.

Here's hoping that proper application of chicken soup, hot rum toddies, and sleep (in whatever order) help you get back to feeling better soon!
User avatar
Bookworm
Posts: 615
Joined: Sun Jul 29, 2012 11:59 pm
Location: Houston, TX
Contact:

Re: Server up and down.

Post by Bookworm »

I changed out the board and memory, and it looks like the load is back to normal. I do suspect there is/was an assault going on.

BW
I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.
User avatar
AnotherFairportfan
Posts: 6402
Joined: Thu May 01, 2014 2:53 pm

Re: Server up and down.

Post by AnotherFairportfan »

So, i'm seeing yesterday's comic, not today's.

Perhaps the intermediate servers haven't updated yet?
Proof Positive the world is not flat: If it were, cats would have pushed everything off the edge by now.
User avatar
Mark N
Posts: 1370
Joined: Tue Jul 31, 2012 11:51 pm
Location: Central Florida

Re: Server up and down.

Post by Mark N »

You did the best that could possibly be done and it worked. Thank you for bringing the site back to life. Now please just take care of yourself Bookworm.
This message is brought to you by the "Let the artist know how much you LOVE his work" council.
User avatar
Bookworm
Posts: 615
Joined: Sun Jul 29, 2012 11:59 pm
Location: Houston, TX
Contact:

Re: Server up and down.

Post by Bookworm »

I haven't gotten back home yet.

Anyway - tracked it down. It wasn't just wapsi, but that's the biggest target, and it was wapsi the last few times.

Specifically, it's an attack on xmlrpc.php (used for pingbacks, mostly). Apparently often used to try to inject a referral to another website. One attacking server is in Missouri, another in Russia. (The Russian one is trying to hack wp-login.php)

The new hardware should be better at absorbing the impact of the assaults until I can block their IP's.
I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.
User avatar
Dave
Posts: 7584
Joined: Tue Jul 31, 2012 5:58 pm
Location: Mountain View, CA, USA

Re: Server up and down.

Post by Dave »

Ouch! Sorry you're in somebody's sights.

Would OSSEC or a similar automated defense mechanism help out? (Of course, there's the problem of distinguishing between genuine attackers, and rabid Wapsi fans :) )
User avatar
Bookworm
Posts: 615
Joined: Sun Jul 29, 2012 11:59 pm
Location: Houston, TX
Contact:

Re: Server up and down.

Post by Bookworm »

These are automated attacks. I'm seeing them on at least three different sites.

the "fix" is to disable xmlrpc.php - but that also disables the ability to do pingbacks. Of course, for webcomics, I suspect that pingbacks aren't that important.
I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.
Post Reply