unable to access site...

[jechilt]

Greetings,

I am not sure why but periodically, all my users are unable to access their websites, though SSH and DA control panel access is fine.
When I log into my Virtuozzo control panel, resource utilization looks ok.
The only way to get the sites back up and running is to restart httpd service. Once done, everything is normal.

I don't know if this is related or not, but it does bother me. In my DA Security log, it is filled with entries like:

2004:07:17-17:25:10: 212.171.50.105 has tried to log in 26 times, unsuccessfully, this time into (null)'s account ***
2004:07:27-05:26:27: 62.101.94.100 has tried to log in 10 times, unsuccessfully, this time into (null)'s account ***

Note: the 94.100 is my IP. ???

Is there a way to block IP addresses after X number of failed attempts or something? If there is, can you tell me how?

To me, this looks like a deliberate hack attempt since I know the user is NOT accessing the control panel and we are not running Front Page extensions.
(psuedo name in use)

2004:10:19-07:36:58: *** User decXXX tried to execute /CMD_USER_SHOW ***
2004:10:19-15:38:21: User decXXX entered an invalid path (/domains/decXXX.com/public_html/_vti_bin/fpcount.exe/C:/Documents and Settings/Owner/My Documents/My Webs/myweb9/) in the file manager

Also, there are from the Apache Error logs and there are slews of these:

[Wed Nov 17 04:31:08 2004] [error] child process 2177 still did not exit, sending a SIGKILL
[Wed Nov 17 04:31:08 2004] [error] child process 19765 still did not exit, sending a SIGKILL

any ideas to help keep the server safe and keep the bad guys out would help...

 

[jechilt]

anyone? is there any info that could be helpful in this scenario?

 

[fusionictnl]

[Wed Nov 17 04:31:08 2004] [error] child process 2177 still did not exit, sending a SIGKILL

This explains that DA couldn't restart Apache at it's daily restart. If it fails it can't start apache because the port is in use.

http://www.directadmin.com/forum/showthread.php?s=&threadid=2676

This is a similar thread, but don't know if it will solve your problem.

You could try updating/re-installing your apache (version 2?)

 

[jechilt]

thanks for the reference. i will start looking more closely at the logs and monitor mod_perl.
We are not using apache2.

on the positive side, no one has said we are being hacked and I can't see anything that indicates it. so, I guess I can rest easy for now...although, i would like to figure out more about DOS attacks and how to stop them.

This explains that DA couldn't restart Apache at it's daily restart. If it fails it can't start apache because the port is in use.

http://www.directadmin.com/forum/showthread.php?s=&threadid=2676

This is a similar thread, but don't know if it will solve your problem.

You could try updating/re-installing your apache (version 2?)