Forum Moderators: travelin cat
My server crashed this morning for no apparent reason. Uptime is since last server update to 10.2.8, around 40 days. Only strange out of the place entry in the system.log, appeared in the middle och everything. No timestamp.
From system.log:
o de Cach¡Z
solaris_wmode=Modo de escritura
solaris_con=Chequeo de Consistencia
solaris_period=Peri¡Zdicamente
solaris_never=Nunca
solaris_demand=Seg¡Zn demanda
solaris_waround=Escritura-solucionada
solaris_nshared=No-compartido
solaris_local=¡ZReviso permisos en cach¡Z?
solaris_nobrowse=¡ZRevisi¡Zn activada?
solaris_auto=Autom¡Ztico
solaris_mname=Nombre de M¡Zquina del Servidor
solaris_cname=Nombre del Cliente
solaris_username=Nombre de Login
solaris_password=Clave de Acceso de Login
solaris_uid=Los archivos de usuario son propiedad de
solaris_gid=Los archivos de Grupo son propiedad de
solaris_fmode=Permisos de Archivo
solaris_dmode=Permisos de Directorio
solaris_readwrite=¡ZEs seguro el acceso de Lectura/escritura?
solaris_readonly=¡ZLos archivos pueden ser de s¡Zlo-lectura?
solaris_noupper=¡ZEnv¡Zo la clave de acceso en may¡Zsculas?
solaris_attr=¡ZUso comandos attrE?
solaris_eurl='$1' no es una URL de NFS v¡Zlida
solaris_ehost='$1' no es un nombre v¡Zlido de m¡Zquina
solaris_ehost2=La m¡Zquina '$1' no existe
solaris_edown=La m¡Zquina '$1' est¡Z ca¡Zda o no soporta NFS
solaris_enfs=La m¡Zquina '$1' no soporta NFS
solaris_enfsdir='$1' no es un nombre de directorio v¡Zlido. Los directorios disponibles en $2 son: $3
solaris_enfsperm=Esta m¡Zquina no est¡Z autorizada a montar el directorio $1 en $2
solaris_enfsmount=Erro
An entry I've never seen in my webserver log before (IPs zeroed by me):
000.000.000.000 - - [18/Nov/2003:06:15:48 +0100] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 76 "-" "-"
000.000.000.000 - - [18/Nov/2003:09:29:54 +0100] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 76 "-" "-"
But these entries happened 3 hours before the crash at 12:06:21.
The last webhit before the crash was by "googlebot".
I can't find a solution at the moment, but the Server is running fine though, now. Any ideas would be greatly appreciated.
Cheers. :)
Guess 1: somebody is trying to use your server as a proxy server. Or somebody just scanned your server to see if it runs a open proxy. Do you have proxy enabled? If so, i'd encourage you to DISABLE it asap. I had some chinese chaps using my webstar as proxy until i noticed it - so if someone will find your server open, he WILL use it - even worse your server might land on a open proxy list!
Guess 2: Another reason for your CONNECT entries could be the CodeRed worm virus. It sometimes also uses CONNECT 1.3.3.7:1337. If the requesting IP is in the same / similar class as your server's ip, it's very possible that it's been a CodeRed Attack. You can use htaccess or httpd.conf to deny all worm like requests. As these attacks sometimes come very very fast and over a long period of time, this is *one possible* reason for the crash. If you need a list of possible virus request urls, tell me, and i'll post my deny list.
To further avoid successfull CONNECT requests i'd limit access only to the standard HTTP methods like GET and POST. You can do this by specifying LIMIT in your httpd.conf.
[httpd.apache.org...]
Don't know if any of the above is the reason for your crashes but it's worth to make your server as secure as possible.
After some more detective work, I narrowed the cause down to a Norton product (Utilities or NAV) and Journaling enabled on a mirrored RAID running OS X Server 10.2.8.
This message popped up on the screen during the crash:
Error: "You need to restart your computer. Hold down the Power button for several seconds or press the Restart button." [service1.symantec.com]
In my ingnorance / meager knowledge I checked the wrong logs, and totally forgot about panic.log. I found this entry:
Kernel loadable modules in backtrace (with dependencies):
com.symantec.kext.symfs(7.0.2)@0x19126000
dependency: com.symantec.kext.symdc(1.3)@0x18a98000
One clue from my travels found on Macfixit.com [macfixit.com]:
Kernel panic occurs when enabling journaling in Mac OS X 10.3 (code named Panther) [service1.symantec.com]
Norton Auto-Protect kernel panic A Symantec support document notes that when Norton AntiVirus' Auto-Protect feature is active under Panther, attempting to enable journaling on a drive in Disk Utility results in a kernel panic. The solution is to deactivate Auto-Protect before you enable journaling. (Afterwards, you can re-activate Auto-Protect.)
Which lead me to do a search for kernel panics with Jaguar and earlier versions of Norton Products:
Kernel panic occurs when you open Norton Utilities 7.0.3 with Journaling enabled [service1.symantec.com]
The worst part is this :(
Symantec has not tested its Macintosh software under Mac OS X Server and does not support the software in this environment.
I had in fact enabled journaling on my mirrored RAID earlier that morning after a recommendation from a friend. One simple mistake can take down a whole system :(
In reply:
Guess 1) My system doesn't run as a proxy :)
Guess 2) I do receive a fair share of virus attacks, but never knew how I could combat them. I would love to see your deny list :)
If you need a list of possible virus request urls, tell me, and i'll post my deny list.
Thanks again and Cheers.
>I would love to see your deny list
Unfortunately i can't connect to my server right now (<rant>damn, this buggy webstar admin won't let me login</rant>). But i gonna post the list tomorrow morning (my time - that is in 12 hours). Actually it's a pretty comprehensive list of possible virus url's that hitted my servers in the past. Best is to put them with appropriate rules in your .htaccess file. If you don't have a htaccess file yet or don't know a good rule, tell me and i gonna post one too. :)
I do have .htaccess, but what rule are you referring to? Please post, to further my knowledge.
Cheers. :)
Here's a .htaccess rule set which denies access to the (to me) known virus / worm / hack attacks. Sure, you should customize the rules and check that you don't block files and directories that you actually need to give access to (ie scripts, formmail etc.).
<Files .htaccess>
deny from all
</Files>
Options +FollowSymLinks
RewriteEngine on
RewriteRule \.exe - [NC,F]
RewriteRule \.ida - [NC,F]
RewriteRule \_vti\_ - [NC,F]
RewriteRule ^NULL - [NC,F]
RewriteRule bin/ - [NC,F]
RewriteRule formmail - [NC,F]
RewriteRule msoffice - [NC,F]
RewriteRule sumthin - [NC,F]
RewriteRule ^scripts/ - [NC,F]
RewriteRule ^msadc/ - [NC,F]
RewriteRule ^M83A/ - [NC,F]
RewriteRule ^jf74kd/ - [NC,F]
