Apache 2.4.10 memory issues - update to 2.4.11?

[americanintel]

2.4.10 is still showing in custombuild here on DA. I'm experiencing some high cpu and memory issues that I'm 99% sure is related to vulnerabilities listed below from malicious IP's. CSF is dealing with it now that I have it properly tweaked but I'd like to see an update in custombuild for .11 if possible... when it's out of dev... or backported by DA maybe.

http://httpd.apache.org/security/vulnerabilities_24.html

Anyone else having issues related to this?

I've had some direct attacks that have taken loads from .06 to as high as 350+ but certainly in the 150 range which play havoc with httpd and mysqld of course... solid DDOS for sure. I've had to tweak the CT_LIMIT in CSF to deal with it but not have too many false positives.

 

[DirectAdmin Support]

Curious what you're using for your 99% certainty?

Not sure if it's related, but I've seen a significant spike in WordPress attacks recently, hence the addition of this for the upcoming release:
http://www.directadmin.com/features.php?id=1695

So just rule it out (or confirm it) by scanning your Apache logs for wp-login.php or xmlrpc.php connections, eg:

cd /var/log/httpd/domains
grep -c -E 'wp-login.php|xmlrpc.php' *.log | grep -v :0 | awk -F':' '{print $2,$1"="}' | sort -n

Either way, if you do want a different version of apache, you can use this:
http://help.directadmin.com/item.php?id=565&in1=apache2.4&in2=2.4.11-dev&in3=

of course, it's ./build apache, not ./build apache2.4.
I didn't look too hard on where to find the 2.4.11-dev tar.gz file though.. may need to grab it from their svn repo.

John

 

[FAF]

2.4.10 is still showing in custombuild here on DA. I'm experiencing some high cpu and memory issues that I'm 99% sure is related to vulnerabilities listed below from malicious IP's. CSF is dealing with it now that I have it properly tweaked but I'd like to see an update in custombuild for .11 if possible... when it's out of dev... or backported by DA maybe.

http://httpd.apache.org/security/vulnerabilities_24.html

Anyone else having issues related to this?

I've had some direct attacks that have taken loads from .06 to as high as 350+ but certainly in the 150 range which play havoc with httpd and mysqld of course... solid DDOS for sure. I've had to tweak the CT_LIMIT in CSF to deal with it but not have too many false positives.

Are you running mod_proxy_fcgi? Anyway, on the WP thing; I had to change the wp-login path for WP, and that helped allot and took away the hammering of the bots. Nice addition in DA-1.47, with the WP log scanner, but changing the path helped in my situation. Cannot imaging what it's like to have hundreds of WP installations, and not being able to change the login path. Furthermore I use a couple of cache plugins, that too helped on the load. Don't know if it's related or not. I'm up-to-date on everything CB2, running 2.4.10, etc, and I don't have any problems right now with the load.

Someone here reported a high cpu load, probably related to memory fragmentation and Apache Runtime (APR): http://svn.haxx.se/users/archive-2014-12/0103.shtml

Maybe it's related? Try to see if your libapr-1.so.0 needs an update. http://rpmfind.net/linux/rpm2html/search.php?query=libapr-1.so.0

I agree that Apache should rule out all bugs and rule the world, but it's probably not that easy.

 

[FAF]

You can also Audit Network Traffic with "sysdig", to get at further insight on your traffic. http://www.sysdig.org

Haven't tried it, but it looks nice. It combines "well-known utilities such as strace, tcpdump, and lsof into one single application".