Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 29th July 2012, 22:05
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,258
Thanks: 76
Thanked 23 Times in 19 Posts
Default Got a FASTCGI problem after my latestupdate

The server (a small VPS) is set up according to this how-to: http://www.lowendbox.com/blog/wordpr...-lowendscript/

The problems started after the last update:

apticron report [Fri, 27 Jul 2012 00:41:08 -0300]
================================================== ======================

apticron has detected that some packages need upgrading on:

The following packages are currently pending an upgrade:

mysql-client-5.5 5.5.25a-1~dotdeb.1
mysql-client-core-5.5 5.5.25a-1~dotdeb.1
mysql-common 5.5.25a-1~dotdeb.1
mysql-server 5.5.25a-1~dotdeb.1
mysql-server-5.5 5.5.25a-1~dotdeb.1
mysql-server-core-5.5 5.5.25a-1~dotdeb.1
php5-cgi 5.3.15-1~dotdeb.0
php5-cli 5.3.15-1~dotdeb.0
php5-common 5.3.15-1~dotdeb.0
php5-curl 5.3.15-1~dotdeb.0
php5-gd 5.3.15-1~dotdeb.0
php5-mcrypt 5.3.15-1~dotdeb.0
php5-mysql 5.3.15-1~dotdeb.0
php5-suhosin 5.3.15-1~dotdeb.0

When I did these updates, I always chose to keep my configs and not to replace them with the distro ones. I am facing the problem that php-cgi seems to "freeze" to death, it doesn't seem to serve anything, it works for a few hours, then it freezes and only starts working again after I killall -9 php-cgi and then starting it again as restarting it doesn't work either.
All I get are these errors in nginx error log:

2012/07/29 09:26:21 [error] 18038#0: *1909 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 173.245.52.14, server: knightsenglish.com, request: "GET / HTTP/1.0", upstream: "fastcgi://127.0.0.1:9000", host: "www.knightsenglish.com", referrer: "http://www.knightsenglish.com/"

Any ideas what could be wrong here? Any starting points to investigate? All this happened this weekend where there was almost zero traffic, I checked with netstat and there were maybe 10 connections active only :-(

As a first try, after googling this issue I added this value to my nginx configs: proxy_read_timeout 120; but that didn't change much.
Reply With Quote
Sponsored Links
  #2  
Old 30th July 2012, 09:55
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Do you use PHP-FPM? If not, I'd strongly suggest to set it up.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 31st July 2012, 00:43
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,258
Thanks: 76
Thanked 23 Times in 19 Posts
 
Default

Thanks Falko, I figured out the problem and will implement your suggestion after I fix the original problem.

After tinkering with the VPS I realized the problem went a lot deeper than that. This thread is basically closed as the problem is a totally different one, but if you ca nadd something to it it would be much appreciated.

I ran 2 sites for a friend on my server, one grew to big so I moved him to his own VPS that I also manage. The second one grew stale so I eventually de-activated it.

I now moved the stale one to his own server since we was going to update it and get it up and running again.

I see 2 possible reasons for my problems:

a) either I screwed up when transferring the old site to the new server
b) the site's files were infected with Timthumb and possibly other dangerous stuff

Facts: I moved the site, put it online, updated all plugins, ran a Timthumb vulnerability scanner over the entire wordpress installation (a WP plugin) and manually deleted/replaced all infected files, which were quite a lot.

My reasoning is that while doing that, I might have missed some infected file or simply have been to slow.

The symptoms are that a lot of processes stopped working, I checked quite a few log files and all are complaining about wrong ownerships, i.e. most of the problems I found is that www-data owns the folders/files now...

My explanation is that on the old server, everything was so secured and tied down, that the infection couldn't spread anywhere (I run those sites with FASTCGI and suexec and a lot of other security mechanisms) but the new one is "unprotected" from inside, meaning that me personally moving the infection onto the server, and the web server running no further protection, I basically spread the virus myself :-(

My plan now is to restore a backup of the new server, get it up and running again, then try and clean the infected site before moving it. The question is how do I detect/clean infected files within a wordpress site OFFLINE? All I could goggle, refers to how to clean/scan a live wordpress installation :-(

Any advice?

Please also feel free to comment if you think you see a flaw in my reasoning, this is not 100% proven (except for the mentioned FACTS), just my deductions.

oh, btw. I ran one of the many infected index.php files through an online scanner and here are the results:

http://r.virscan.org/report/994a8139...334871829.html
https://www.virustotal.com/file/4b66...is/1343601521/

Funnily enough, the Linux Malware tool I am using doesn't find anything wrong with this file :-( http://www.rfxn.com/projects/linux-malware-detect/
Need to post there for support too.

Any advice from someone who faced something like this before? Maybe some pointers about detecting MySQL injections once they have happened already?

Last edited by Ovidiu; 31st July 2012 at 00:45.
Reply With Quote
Reply

Bookmarks

Tags
debian, fastcgi, nginx

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache boot problem / GlusterFS loading stefanm Installation/Configuration 2 9th August 2011 14:25
Strange email problem for one of my domains... any help appreciated paulrobert_a Installation/Configuration 5 9th August 2010 14:15
TLS Problem admins Installation/Configuration 1 19th September 2009 10:55
ERROR- Connection dropped by imap-server Al1937 Installation/Configuration 10 4th September 2009 21:15
Postfix+MySQL Problem jasutton Installation/Configuration 1 15th June 2006 16:06


All times are GMT +2. The time now is 07:35.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.