Problems at my other host

Here are a couple of interesting forum announcements by my other host -

Last Wed...
We are experiencing severe problem with the *servername* server (Mail & MySQL) due to a DOS attack occurring against the facility.

The attack is not directed at *nameof*Host or any of it's clients.

The reason it is only affecting this server is because this server turns out to be only on a single-homed system and not on the multi-homed systems that the remainder are on. I was under the impression that the computers in this facility were all multi-homed.

Last Thurs...
We have to change the MySQL, Mail & CP server (*servername*) from the single-homed line to the multi-homed line to stop the problems with DOS attacks. We will be doing it this evening at an estimated time of between 3-5 am Pacific Standard Time.

We will be changing the following IP to:
XX.28.158.18 -> XX.154.89.33

Some users may experience a short downtime and if you are using IP settings for connectivity with your mail or MySQL connectivity, you will need to make the modifications manually.
~~~~~~~
Thought some of you might be interested.
Regards.......Bell

I received following message from otherhost on 9/18/02...

~~~~~~~~
<quote>As you probably noticed we had few cases of increased heavy server load. After a more thorough investigation we have discovered there is some misconfigured script on the system that floods MySQL with queries.

We also know that the script uses a CGI version of PHP. If you are using this method, please let us know so that we can check which script(s) are causing problems.

What we would like to do is find the problem script and either fix it or convert it to standard PHP usage. We cannot have scripts causing a runaway set of queries against the MySQL server.

While we are still trying to isolate the exact problem script, we have determined that it is a script using the CGI version of PHP

The stopping of use of the CGI version of PHP will be a last resort only if we cannot pinpoint the offending script.

Thank you very much for your cooperation.

Support Staff
*otherHost*</quote>
~~~~~~~~~
By the way, if you folks think I should NOT post this kind of stuff, let me know & I'll desist. I just thought you might be interested.
Bell

[admin]

While I hate to see anyone having problems, it makes for quite interesting reading. Keep us updated.

[Gnomercy]

*nod*

The techie in me is loving reading this... I must say, I wish you weren't experiencing these issues, but I also find it interesting reading. I'd be interested in knowing what the script is as well, if you happen to find out.

Yep. I am curious too. I don’t think it is too hard to track a runaway script but Danny can tell you exactly . Any host has problems; the difference is how the problems are solved.

Interesting posts on otherhost's forum 9/18/02

<quote>
Question by Client A - What is the purpose of running php scripts in cgi? To make it more secure or something? I'm asking because I have wondered this, seen it in some scripts before as an option.

Answer by Client B - I think the purpose for some people is to get around PHP being in safe mode. I think I remember reading some threads about PHP scripts that wouldn't run correctly under PHP safe mode, so they were going to try to run the script as a CGI. If I recall correctly, I think Gallery was one of those scripts.
</quote>

As you no doubt have gathered, otherhost ALWAYS runs PHP in safe mode [whatever that means], despite requests by several clients. Some or all of those clients may have departed. They used to post to otherhost's forum a lot, & now they are silent.

Otherhost has drawn several fairly substantial DoS in the slightly more than 1 year since start-up.

I think this is at least partly because otherhost had some *dark side* clients whose forums attracted a lot of bad-a*ses, 4-letter flame sessions, hacker threats, etc.

In any event, the founders sold the store in mid August & now, as you see, the new owner has his own headaches.

Bell

Quote:

The safe mode option in PHP allows control of which files can be accessed from a script using functions that access the file system, such as include(), fopen(), readfile(), and so on. The restriction is as follows: A file can be accessed either if it is owned by the same user ID as the script that is trying to access it, or if the file is in a directory to which the user of the running script has access.

safe_mode allows the administrator to control which users are allowed to run which functions and also entirely disable functions for security purposes. Many scripts using file uploads are having problems because of this. If you get an error like: "open_basedir restriction in effect", "Safe Mode Restriction in effect.", or "function has been disabled for security reasons" then it is a case of safe_mode . From what I see , safe_mode for AOH is off.

Quote:

Originally posted by Nedani
From what I see , safe_mode for AOH is off.

Is that a good thing or a bad thing, I wonder?

Cheeks clamped together,
Bellgamin

I think it is a good thing. You can use more premade scripts. If safe_mode is enabled then you have enough tools to do the same (bad) things using php in cgi mode, Perl, shell etc. You will not gain any extra security but you will get some extra headaches when trying to install a script.

Nedani - I checked thy site again. Wow! I hope those scripts you use don't crash the servers.


Cheeks still clamped,
Bell

No scripts in use yet.

safe_mode is used just to check what files can you use (read/write) from php. It has nothing to do with crashing.

I am testing all the scripts on my home server so ... if it is something to crash ... my PC will crash first and I will have nothing to upload to AOH .

[admin]

We use openbasedir directives to keep users in their own directories. This prevents a very large portion of the issues associated with user installed PHP scripts.

forum posts at otherhost...
~post1~~~~~~~~
9/19 by client F
This is now three days in a row at roughly the same time each day. Disable CGI PHP, cron or both. It took 8 1/2 minutes for THIS page to load to be able to even post this message.

Hermes is in the toilet again:
As of 12:10pm up 6 days, 6:03
load average: 11.36 10.97 8.25

I think this is the point were drastic measures ARE warranted.
xxxxxx

Bellgamin note: otherhost has mysql & email ALL on server hermes in TX, where all the trouble is happening. Host owner lives in CA & is trying to build his own data center in a storage building near his home.

~post2~~~~~~~~~~~
9/19by client S
load average: 17.89 15.32 10.95

bah, you guys should put mysql and email on each server like it is comes by standard so not all the customers suffer the slowdowns
xxxxxxx

~post3~~~~~~
9/19 by host's owner
Yes, I agree with you. The problem is and has always been that I cannot do anything with the servers where they are now.

We are going to start moving the servers the first part of next week to my shop. Once we get it there (on to much more powerful machines) we will build a couple of additional machines to offload the MySQL and Mail to separate servers.

In the meantime we are continuously trying to figure out what scripts are causing so much run-up.
xxxxx
~post4~~~
9/19 by client L
All 3 days I've been at school when the slow down has happened, so it leads me to believe someone has a cron that runs this program. I'm at school from 6:45am to around 2:45pm, PST. Maybe you could check and make sure it's not a cron between that time.
xxxxxxx
~post 5~~~~~~
9/19 by host's owner
We are currently going thru all the crons to see what time they run and what they run.
xxxxx

And the beat goes on.

I am curious why you don't move your site to AOH.

Quote:

I am curious why you don't move your site to AOH.

I have several sites. I moved my main site to AOH. I have 2 sites still at otherhost, paid in advance through June 2003. Besides, most of the folks over there are really nice people. They're just having some problems right now.

Shaloha,
Bellgamin