httpd stopped, unable to start, restart even after reboot...

[pcoeman]

Hi,

I just received a DA system message that apache stopped. I tried to start & restart httpd. Nothing. I reboot the server, no start or restart. This is what I found in the error_log as last message:

[Wed Aug 25 14:44:49 2004] [error] [client 66.205.46.196] request failed: URI too long
[Wed Aug 25 15:32:17 2004] [error] [client 66.215.49.50] request failed: URI too long
[Wed Aug 25 16:22:05 2004] [error] [client 66.130.127.205] request failed: URI too long
[Wed Aug 25 16:36:01 2004] [notice] caught SIGTERM, shutting down

When I take a look in the access_log I see 3times this kind of stuff:

66.157.197.108 - - [25/Aug/2004:08:52:31 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
66.157.197.108 - - [25/Aug/2004:08:52:32 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
217.235.63.62 - - [25/Aug/2004:11:29:34 -0400] "-" 408 - "-" "-"
213.196.196.115 - - [25/Aug/2004:12:41:56 -0400] "HEAD / HTTP/1.0" 200 0 "-" "-"
66.190.168.200 - - [25/Aug/2004:12:53:23 -0400] "GET /default.ida?XXXXXXXX...X (a few 1000 X)
206.13.56.94 - - [25/Aug/2004:12:56:49 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:49 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:49 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:49 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:49 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:49 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:49 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:49 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:49 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 403 - "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
206.13.56.94 - - [25/Aug/2004:12:56:58 -0400] "SEARCH / HTTP/1.1" 501 325 "-" "-"
66.130.86.63 - - [25/Aug/2004:13:33:31 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ (A few 1000 of these )
...
66.130.127.205 - - [25/Aug/2004:16:22:05 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ (And also a few 1000 of these)
And httpd is killed...

 

[pcoeman]

It seems that the above attacks are a exploit for some

When I try to start httpd on the server I receive this error:


server# httpd
Syntax error on line 160 of /etc/httpd/conf/httpd.conf:
Cannot add module via name 'mod_php4.c': not in list of loaded modules
server#

The server was for several days up and running. I only modified some tings via DirectAdmin. So I don't know what happent...

 

[Naughty Sheep]

try to recompile apache looks like mod_php4.c is gone somehow

check if its in /etc/httpd/modules/ (not sure since i dont use mod_php4.c)

or type: locate mod_php4.c

 

[pcoeman]

try to recompile apache looks like mod_php4.c is gone somehow

check if its in /etc/httpd/modules/ (not sure since i dont use mod_php4.c)

or type: locate mod_php4.c

Thanks for your time, I found a solution here: http://www.directadmin.com/forum/showthread.php?s=&threadid=4125 but it still is a strange thing, it affects more people but nobody knows why...

 

[Chrysalis]

this problem happened to me this morning, I dont know if its a coincidence or not, but my directadmin licence got auto updated today and then just after midnight apache stopped and now it wont start with the same error.

this is what I get if I use the binary

Syntax error on line 160 of /etc/httpd/conf/httpd.conf:
Cannot add module via name 'mod_php4.c': not in list of loaded modules

or if I use /usr/local/etc/rc.d/httpd restart

Stopping httpd: [ FAILED ]
Starting httpd: Syntax error on line 70 of /etc/httpd/conf/httpd.conf:
[ OK ]
root@bollocks conf # Cannot load /etc/httpd/modules/libperl.so into server: /etc/httpd/modules/libperl.so: Undefined symbol "Perl_sv_2pv_flags"

 

[Chrysalis]

even after doing the workaround in http://www.directadmin.com/forum/showthread.php?s=&threadid=4125 it went down again after midnight so something is making it shutdown at midnight now. This problem started the day directadmin downloaded a new licence.