Jump to content

Potential Fork Bomb Exploit in Revive Adserver?

Recommended Posts

For the past week, each night at around the same time (1AM) my server is detecting and killing a Fork Bomb that uses www/delivery/lg.php. My cpanel server is running mod security, Suhosin PHP module, etc., and this fork bomb attack seems to be stopped by the server (or is it??) after it brings down apache, but there may be an exploit in the current version of lg.php. I would like your opinions on this.

Here is a shortened log:

lfd on scott.mysite.com: Fork Bomb detected and killed:

PID:3350 PPID:10047 SID:10047 User:root EXE:/usr/local/cpanel/bin/splitlogs CMD:/usr/local/cpanel/bin/splitlogs --main=scott.mysite.com --suffix=-bytes_log
PID:3351 PPID:10047 SID:10047 User:root EXE:/usr/local/cpanel/bin/splitlogs CMD:/usr/local/cpanel/bin/splitlogs --main=scott.mysite.com --mainout=/usr/local/apache/logs/access_log
PID:3366 PPID:10047 SID:10047 User:root EXE:/usr/local/cpanel/3rdparty/perl/514/bin/perl CMD:/usr/local/cpanel/3rdparty/bin/perl /usr/local/cpanel/bin/leechprotect
PID:26764 PPID:3651 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.php
PID:26765 PPID:3526 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.php
PID:26766 PPID:24139 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.php
PID:26767 PPID:5554 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.php
PID:26768 PPID:24340 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.php
PID:26769 PPID:3471 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.php

etc, etc.

Link to comment
Share on other sites

Hi @scott001,

I have doubts that it's a fork bomb - I don't think there's any code in Revive Adserver that creates any additional threads - everything is single threaded (although you can of course have as many single-threaded pathways executing as you set up your web server to allow).

It's more likely a mis-identified report by Suhosin as a result of a high number of calls to the logging scripts - either simply legitimately (as a result of a normal traffic spike or a legitimate scripted bulk access), or, possibly a DoS attack.

Link to comment
Share on other sites

  • 5 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...