litespeed hacked?

mistwang

LiteSpeed Staff
#24
4.1RC3 build is available for download, just change the version number in the download link. Also 4.1RC2 package has been updated as well, just in case serious bug introduced in 4.1RC3.
We still have some features to be added to 4.1RC3, so it is not final yet.
 

robfrew

Well-Known Member
#25
4.1RC3 build is available for download, just change the version number in the download link. Also 4.1RC2 package has been updated as well, just in case serious bug introduced in 4.1RC3.
We still have some features to be added to 4.1RC3, so it is not final yet.
Tried using RC3 and after install and restart, received 503 errors immediately.
 

robfrew

Well-Known Member
#29
503 error from PHP script or something else?
Can you send me the log file for analysis?
Looked at error log file and saw this after installing RC3:

Code:
2010-06-16 07:34:36.586 [ERROR] execve() failed with errno=14, when try to start Fast CGI application: /opt/lsws/bin/httpd -n 20!
Cannot find why RC2 will not allow me to get into the Control Panel.
 
Last edited:

robfrew

Well-Known Member
#30
It looks like I cannot get into any secure (https) areas of any website running the patched RC2. That is why I cannot get into the control panel because it resides on a secure setup. I had to load the original RC2 to get my secure sites to work again.
 
#35
This filter do not work for 4.0.10
GET /index.php
2010-07-21 01:38:07.676 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Find context with URI: [/], location: [/home/www/domains/MY-DOMAIN.com/html/]
2010-07-21 01:38:07.676 [DEBUG] [HTAccess] Updating configuration file [/home/www/domains/MY-DOMAIN.com/html/.htaccess]
2010-07-21 01:38:07.676 [INFO] [HTAccess] Updating configuration from [/home/www/domains/MY-DOMAIN.com/html/.htaccess]
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Find .htaccess context with URI: [/], location: [/home/www/domains/MY-DOMAIN.com/html/]
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] processContextPath() return 0
2010-07-21 01:38:07.677 [INFO] [184.193.59.46:59568-0#MY-DOMAIN.com] no request variables, skip ruleset: XSS attack
2010-07-21 01:38:07.677 [INFO] [184.193.59.46:59568-0#MY-DOMAIN.com] no request variables, skip ruleset: SQL Injection attack
2010-07-21 01:38:07.677 [INFO] [184.193.59.46:59568-0#MY-DOMAIN.com] [SECURITY] match [REQUEST_URI] against pattern [\x00], result: 1
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] readyCacheData() return 0
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Written to client: 453
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] m_pHandler->onWrite() return 0
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] HttpConnection::flush()!
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] HttpConnection::nextRequest()!
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Non-KeepAlive, CLOSING!
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] processNewReq() return 0.
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Shutting down out-bound socket ...
2010-07-21 01:38:07.792 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] HttpIOLink::handleEvents() events=17!
2010-07-21 01:38:07.792 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Close socket ...
screenshot from admin panel Request Filter
grab.by/grabs/6082dddb30bf07cfe7fb187fe2e721de.png
 

J.T.

Well-Known Member
#38
Couple of questions regarding this.

1. How can we check whether the server may have already been compromised before upgrading or applying the mod sec rule?

2. If we don't log in to the LSWS admin UI we wouldn't know there's an update. Even if we did, it doesn't exactly highlight the update as urgent/crucial. Some updates recently were just for some control panel integration so I waited on those. It would be really handy if there was an RSS feed to monitor this type of news (without having to subscribe to every forum thread, then filter them). I don't see a feed on the news items, which would have been perfect. Can you please consider this point and let us know how best to be fed updates?
 
Top