scott001 Posted March 29, 2016 Report Share Posted March 29, 2016 For the past week, each night at around the same time (1AM) my server is detecting and killing a Fork Bomb that uses www/delivery/lg.php. My cpanel server is running mod security, Suhosin PHP module, etc., and this fork bomb attack seems to be stopped by the server (or is it??) after it brings down apache, but there may be an exploit in the current version of lg.php. I would like your opinions on this.Here is a shortened log:lfd on scott.mysite.com: Fork Bomb detected and killed:PID:3350 PPID:10047 SID:10047 User:root EXE:/usr/local/cpanel/bin/splitlogs CMD:/usr/local/cpanel/bin/splitlogs --main=scott.mysite.com --suffix=-bytes_log PID:3351 PPID:10047 SID:10047 User:root EXE:/usr/local/cpanel/bin/splitlogs CMD:/usr/local/cpanel/bin/splitlogs --main=scott.mysite.com --mainout=/usr/local/apache/logs/access_log PID:3366 PPID:10047 SID:10047 User:root EXE:/usr/local/cpanel/3rdparty/perl/514/bin/perl CMD:/usr/local/cpanel/3rdparty/bin/perl /usr/local/cpanel/bin/leechprotect PID:26764 PPID:3651 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.php PID:26765 PPID:3526 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.php PID:26766 PPID:24139 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.php PID:26767 PPID:5554 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.php PID:26768 PPID:24340 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.php PID:26769 PPID:3471 SID:10047 User:mysite EXE:/usr/bin/php CMD:/usr/bin/php /home/mysite/public_html/adserv/www/delivery/lg.phpetc, etc. Quote Link to comment Share on other sites More sharing options...
andrewatfornax Posted March 29, 2016 Report Share Posted March 29, 2016 Hi @scott001,I have doubts that it's a fork bomb - I don't think there's any code in Revive Adserver that creates any additional threads - everything is single threaded (although you can of course have as many single-threaded pathways executing as you set up your web server to allow).It's more likely a mis-identified report by Suhosin as a result of a high number of calls to the logging scripts - either simply legitimately (as a result of a normal traffic spike or a legitimate scripted bulk access), or, possibly a DoS attack. Jimmy T. 1 Quote Link to comment Share on other sites More sharing options...
Jimmy T. Posted August 30, 2016 Report Share Posted August 30, 2016 I agree with @andrewatfornax and I recommend that you whitelist the process in csf.pignore to avoid interference. Edit: didn't realize how long ago this thread was created, but hopefully this will help someone else who reads this. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.