Hi,
Last night the LAMP server that servers our Drupal install crashed. It had too may available processes and ran out of memory. Reduced the number of available Apache processes and everything settled down. Early this morning the server crashed again.
In looking at the log files I find two things that I need help understanding. Please understand I am not a Drupal developer - I am just responsible for it....
I'm seeing a bunch of 403 errors for trying to access /node/add - is this a new exploit? What is this?
Also I am see lines that contain the following:
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)"
Any idea what this is?
Thank you so much for your help!!
Those requests come from this module:
https://www.drupal.org/project/httprl
That module alone doesn't do anything, so you got other modules that are doing the calls through httprl. Look for modules that are dependent upon httprl and that will get you in the right direction of figuring out what is happening.
Jamie Holly http://hollyit.net
On 12/2/2014 3:52 PM, Keith Smith wrote:
Hi,
Last night the LAMP server that servers our Drupal install crashed. It had too may available processes and ran out of memory. Reduced the number of available Apache processes and everything settled down. Early this morning the server crashed again.
In looking at the log files I find two things that I need help understanding. Please understand I am not a Drupal developer - I am just responsible for it....
I'm seeing a bunch of 403 errors for trying to access /node/add - is this a new exploit? What is this?
Also I am see lines that contain the following:
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)"
Any idea what this is?
Thank you so much for your help!!
Thank you Jamie!!
On 2014-12-02 15:59, Jamie Holly wrote:
Those requests come from this module:
https://www.drupal.org/project/httprl
That module alone doesn't do anything, so you got other modules that are doing the calls through httprl. Look for modules that are dependent upon httprl and that will get you in the right direction of figuring out what is happening.
Jamie Holly http://hollyit.net
On 12/2/2014 3:52 PM, Keith Smith wrote:
Hi,
Last night the LAMP server that servers our Drupal install crashed. It had too may available processes and ran out of memory. Reduced the number of available Apache processes and everything settled down. Early this morning the server crashed again.
In looking at the log files I find two things that I need help understanding. Please understand I am not a Drupal developer - I am just responsible for it....
I'm seeing a bunch of 403 errors for trying to access /node/add - is this a new exploit? What is this?
Also I am see lines that contain the following:
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)"
Any idea what this is?
Thank you so much for your help!!
Is it normal to see these entries or does this indicate an issue?
Thanks!! Keith
On 2014-12-02 15:59, Jamie Holly wrote:
Those requests come from this module:
https://www.drupal.org/project/httprl
That module alone doesn't do anything, so you got other modules that are doing the calls through httprl. Look for modules that are dependent upon httprl and that will get you in the right direction of figuring out what is happening.
Jamie Holly http://hollyit.net
On 12/2/2014 3:52 PM, Keith Smith wrote:
Hi,
Last night the LAMP server that servers our Drupal install crashed. It had too may available processes and ran out of memory. Reduced the number of available Apache processes and everything settled down. Early this morning the server crashed again.
In looking at the log files I find two things that I need help understanding. Please understand I am not a Drupal developer - I am just responsible for it....
I'm seeing a bunch of 403 errors for trying to access /node/add - is this a new exploit? What is this?
Also I am see lines that contain the following:
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)"
Any idea what this is?
Thank you so much for your help!!
Those lines you pasted would be normal in the access log, since they are requests to the site. They all got a 200 status code, so they were good requests.
Jamie Holly http://hollyit.net
On 12/2/2014 5:32 PM, Keith Smith wrote:
Is it normal to see these entries or does this indicate an issue?
Thanks!! Keith
On 2014-12-02 15:59, Jamie Holly wrote:
Those requests come from this module:
https://www.drupal.org/project/httprl
That module alone doesn't do anything, so you got other modules that are doing the calls through httprl. Look for modules that are dependent upon httprl and that will get you in the right direction of figuring out what is happening.
Jamie Holly http://hollyit.net
On 12/2/2014 3:52 PM, Keith Smith wrote:
Hi,
Last night the LAMP server that servers our Drupal install crashed. It had too may available processes and ran out of memory. Reduced the number of available Apache processes and everything settled down. Early this morning the server crashed again.
In looking at the log files I find two things that I need help understanding. Please understand I am not a Drupal developer - I am just responsible for it....
I'm seeing a bunch of 403 errors for trying to access /node/add - is this a new exploit? What is this?
Also I am see lines that contain the following:
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)"
Any idea what this is?
Thank you so much for your help!!
Thanks!!
On 2014-12-02 18:19, Jamie Holly wrote:
Those lines you pasted would be normal in the access log, since they are requests to the site. They all got a 200 status code, so they were good requests.
Jamie Holly http://hollyit.net
On 12/2/2014 5:32 PM, Keith Smith wrote:
Is it normal to see these entries or does this indicate an issue?
Thanks!! Keith
On 2014-12-02 15:59, Jamie Holly wrote:
Those requests come from this module:
https://www.drupal.org/project/httprl
That module alone doesn't do anything, so you got other modules that are doing the calls through httprl. Look for modules that are dependent upon httprl and that will get you in the right direction of figuring out what is happening.
Jamie Holly http://hollyit.net
On 12/2/2014 3:52 PM, Keith Smith wrote:
Hi,
Last night the LAMP server that servers our Drupal install crashed. It had too may available processes and ran out of memory. Reduced the number of available Apache processes and everything settled down. Early this morning the server crashed again.
In looking at the log files I find two things that I need help understanding. Please understand I am not a Drupal developer - I am just responsible for it....
I'm seeing a bunch of 403 errors for trying to access /node/add - is this a new exploit? What is this?
Also I am see lines that contain the following:
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)" xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)"
Any idea what this is?
Thank you so much for your help!!
-
Jamie Holly -
Keith Smith