View Single Post
  #1  
Old 20th February 2011, 10:56
skinner_au skinner_au is offline
Junior Member
 
Join Date: Feb 2011
Posts: 3
Thanks: 1
Thanked 1 Time in 1 Post
Default Runaway script creating folders in web root

Hi,

I've been using ISPConfig2 for about 2.5 years now and it has suited my needs very well. It has been serving mail and web for several domains I operate without a problem for that time.

A few weeks ago I made a number of changes to my network and today I noticed that there are a large number of new folders inside my web root which take the form of a line within the ISPConfig log. From what I can tell with my rudimentary PHP skills, the "/root/ispconfig/scripts/shell/logs.php" script is parsing the log lines incorrectly and creating new folders as a result.

Here is an example of my /var/www/ directory ( i have replaced the domain names with #site1#, #site2# etc):
Code:
drwxr-xr-x  3 root        root  4.0K 2011-02-09 00:30 - #SITE2# - [08
drwxr-xr-x  3 root        root  4.0K 2011-02-09 00:30 74.52.245.146 #SITE2# - [08
drwxr-xr-x  3 root        root  4.0K 2011-02-09 00:30 121.45.241.95 #SITE2# - [08
drwxr-xr-x  3 root        root  4.0K 2011-02-09 00:30 114.108.226.61 #SITE2# - [08
drwxr-xr-x  3 root        root  4.0K 2011-02-10 00:30 72.94.249.38 #SITE2# - [09
drwxr-xr-x  3 root        root  4.0K 2011-02-10 00:30 66.249.67.101 localhost - [09
drwxr-xr-x  3 root        root  4.0K 2011-02-10 00:30 222.127.223.74 #SITE2# - [09
drwxr-xr-x  3 root        root  4.0K 2011-02-12 00:30 95.108.154.252 #SITE2# - [11
drwxr-xr-x  3 root        root  4.0K 2011-02-13 00:30 69.58.178.57 #SITE3# - [12
drwxr-xr-x  3 root        root  4.0K 2011-02-13 00:30 222.130.187.172 #SITE3# - [12
drwxr-xr-x  3 root        root  4.0K 2011-02-13 00:30 203.206.80.20 #SITE3# - [12
drwxr-xr-x  3 root        root  4.0K 2011-02-14 00:30 - #SITE1# - [13
drwxr-xr-x  3 root        root  4.0K 2011-02-14 00:30 66.249.67.101 localhost - [13
drwxr-xr-x  3 root        root  4.0K 2011-02-16 00:30 74.52.245.146 localhost - [15
drwxr-xr-x  3 root        root  4.0K 2011-02-16 00:30 66.249.68.100 #SITE2# - [15
drwxr-xr-x  3 root        root  4.0K 2011-02-17 00:30 66.249.68.51 localhost - [16
drwxr-xr-x  3 root        root  4.0K 2011-02-19 00:30 - #SITE2# - [18
drwxr-xr-x  3 root        root  4.0K 2011-02-19 00:30 49.192.11.41 #SITE2# - [18
drwxr-xr-x  3 root        root  4.0K 2011-02-19 00:30 209.222.0.203 #SITE3# - [18
drwxr-xr-x  3 root        root  4.0K 2011-02-19 00:30 203.82.208.13 #SITE2# - [18
drwxr-xr-x  3 root        root  4.0K 2011-02-19 00:30 184.72.7.141 #SITE2# - [18
drwxr-xr-x  3 root        root  4.0K 2011-02-19 00:30 10.212.24.37, 192.148.117.85 #SITE2# - [18
drwxr-xr-x  3 root        root  4.0K 2011-02-19 00:30 10.212.24.37, 192.148.117.83 #SITE2# - [18
drwxr-xr-x  3 root        root  4.0K 2011-02-19 00:30 10.212.24.37, 192.148.117.81 #SITE2# - [18
drwxr-xr-x  3 root        root  4.0K 2011-02-19 00:30 10.212.24.37, 192.148.117.79 #SITE2# - [18
drwxr-xr-x  3 root        root  4.0K 2011-02-20 00:30 66.249.68.100 #SITE2# - [19
As you can probably tell, the directory names take the form of the Apache log line and a new subdirectory is created where a forward slash appears in the line (such as in the date and the HTTP GET request). At the bottom of the tree is a "web.log" file which would normally be found under the ISPConfig site directory tree.

Around that time, the changes I made to my system were: 1) upgraded (apt dist-upgrade within same ubuntu 8.04 version) so many 'held back' packages were updated; and 2) installed a squid reverse proxy on another machine which determines which requests go to which machines as there are other servers within my network hosting other domains outside the scope of my ISPConfig install.

I did a search of the forums here and didn't see any references to upgrades causing this problem, so I have assumed that my squid server is sending requests over which seem to be causing problems for the ISPConfig log parser.

The odd thing is that the ISPConfig HTTPD logs seem to be working as normal, where the standard loglines appear as:

Code:
203.82.208.13 #SITE2# - [20/Feb/2011:17:37:29 +0800] "GET /DC/ HTTP/1.0" 200 55569 "-""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)"
... where "#SITE2#" is the domain name. The log lines do seem to drop the IP address if it is from within my local network (shown only as "-" and this is also visible in the directories created in webroot), but I believe that to be a symptom of another part of my setup, and I can live with this.

It appears to me that the problem is coming from the following function in the "/root/ispconfig/scripts/shell/logs.php" file:

Code:
function get_filename($virtual_host) {
        global $webroot, $jahr, $monat, $mod;
        if(!is_dir("$webroot/$virtual_host/log/$jahr/$monat")) $mod->file->mkdirs("$webroot/$virtual_host/log/$jahr/$monat");
        return "$webroot/$virtual_host/log/$jahr/$monat/web.log";
It has also just occurred to me that it may have something to do with a couple of custom log lines I placed in the "/etc/apache2/apache.conf" file. I suspect I obtained and modified them based on a squid tutorial, but my memory is not clear on it:

Code:
LogFormat "%{X-Forwarded-For}i %v %u %t \"%r\" %>s %b \"%{Referer}i\"\"%{User-Agent}i\"" cached

CustomLog "|/root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_%d" cached
I would very much appreciate any suggestions as to how I can fix this bizarre problem. Although my personal sites are low volume, the number of directory entries are adding up and I'm not sure if there are other problems as well.

Thanks

Skinner
Reply With Quote
Sponsored Links