Suspicious File Alert

pooyan

Well-Known Member
#1
Time: Sat Aug 4 17:32:04 2012 +0430
File: /tmp/lshttpd/bak_core/core.8724
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: Moved into /etc/csf/suspicious.tar

I receive this email every ~5minutes
When i Switch to apache i not receive this email,
 

pooyan

Well-Known Member
#8
Would you like to Upgrade, Reinstall or Change directory [U/r/c]? U

[ERROR] Sorry, installation will abort without a valid license key.

For evaluation purpose, please obtain a trial license key from our web
site http://www.litespeedtech.com, copy it to this directory
and run Installer again.

If a production license has been purchased, please copy the serial number
from your confirmation email to this directory and run Installer again.

NOTE:
Please remember to set ftp to BINARY mode when you ftp trial.key from
another machine.
 
#12
i'm having same issue,

Litespeed Web Server Enterprise v4.2.1

Time: Tue Jan 29 10:26:33 2013 +0700
File: /tmp/lshttpd/bak_core/core.579774
Reason: Linux Binary
Owner: nobody:nobody (99:99)
 

webizen

Well-Known Member
#14
i'm having same issue,

Litespeed Web Server Enterprise v4.2.1

Time: Tue Jan 29 10:26:33 2013 +0700
File: /tmp/lshttpd/bak_core/core.579774
Reason: Linux Binary
Owner: nobody:nobody (99:99)
install debug version of lsws 4.2.1 (see steps in the earlier post) and send us the bt (backtrace).
 

pooyan

Well-Known Member
#15
please continue monitoring the server.
report if any new issue.
The problem is still not resolved.
Please fix it. SSH access not changed

+ 10000 email.

Time: Sun Feb 10 10:09:04 2013 +0330
File: /tmp/lshttpd/bak_core/core.16462
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: Moved into /etc/csf/suspicious.tar
 
#16
run "top -c":
27128 root 20 0 111m 956 800 D 8.3 0.0 0:00.83 /bin/tar -rf /etc/csf/suspicious.tar /tmp/lshttpd/bak_core/core.16462
I killed the process by
#kill 27128

like I did last time. please see if email still coming in.

please try to upgrade to 4.2.2 manually. it fixed a few mod_security bugs and likely including yours.

#cd /usr/local/lsws/admin/misc
#./lsup.sh -v 4.2.2
 

pooyan

Well-Known Member
#17
run "top -c":

I killed the process by
#kill 27128

like I did last time. please see if email still coming in.

please try to upgrade to 4.2.2 manually. it fixed a few mod_security bugs and likely including yours.

#cd /usr/local/lsws/admin/misc
#./lsup.sh -v 4.2.2
Thank you very much for answer
I upgraded lsws to 4.2.2 and restarted server but still problem not resolved!
Also i received this email

Sub: Web server *** on *** is automatically restarted
Body: At [10/Feb/2013:01:57:11 +0330], web server with pid=16462 received unexpected signal=11, a core file is created. A new instance of web server will be started automatically!

Please forward the following debug information to bug@litespeedtech.com.
Environment:

Server: LiteSpeed/4.2.1 Enterprise
OS: Linux
Release: 2.6.32-279.19.1.el6.x86_64
Version: #1 SMP Wed Dec 19 07:05:20 UTC 2012
Machine: x86_64

If the call stack information does not show up here, please compress and forward the core file located in /tmp/lshttpd/.

[New Thread 16462]
[New Thread 16463]
[New Thread 16464]
[Thread debugging using libthread_db enabled]
Core was generated by `litespeed'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000418ace in HttpBuf::size (this=0x5fe8f87d8b48f075) at /home/gwang/release/httpd/httpd/http/httpbuf.h:55
in /home/gwang/release/httpd/httpd/http/httpbuf.h
#0 0x0000000000418ace in HttpBuf::size (this=0x5fe8f87d8b48f075) at /home/gwang/release/httpd/httpd/http/httpbuf.h:55
#1 0x0000000000462c90 in SecRuleRangeList::append (this=0xd904d8, rhs=...) at /home/gwang/release/httpd/httpd/http/secrule.h:615
#2 0x000000000047fc39 in HttpReq::setSecRemoveID (this=0x146a448, pList=0xd904d8) at /home/gwang/release/httpd/httpd/http/httpreq.cpp:4565
#3 0x000000000049f76b in SecEngine::execute (this=0xd90420, pRuleSets=0xe91780, pConn=0x146a3a0, phase=32, scanPost=0) at /home/gwang/release/httpd/httpd/http/secengine.cpp:883
#4 0x00000000004bde5c in HttpConnection::processModSecRules (this=0x146a3a0, phase=32) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:207
#5 0x00000000004bdf11 in HttpConnection::nextRequest (this=0x146a3a0) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:223
#6 0x00000000004c2d49 in HttpConnection::writeComplete (this=0x146a3a0) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:2203
#7 0x00000000004c2e21 in HttpConnection::doWrite (this=0x146a3a0, aioSent=0) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:2225
#8 0x00000000004c2fcb in HttpConnection::eek:nWriteEx (this=0x146a3a0) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:2283
#9 0x000000000046bf8d in HttpIOLink::doWrite (this=0x146a3a0) at /home/gwang/release/httpd/httpd/http/httpiolink.h:162
#10 0x000000000046a9a4 in HttpIOLink::eek:nWriteT (pThis=0x146a3a0) at /home/gwang/release/httpd/httpd/http/httpiolink.cpp:913
#11 0x0000000000469173 in HttpIOLink::handleEvents (this=0x146a3a0, evt=4) at /home/gwang/release/httpd/httpd/http/httpiolink.cpp:180
#12 0x00000000005044ab in epoll::waitAndProcessEvents (this=0xdb4d70, iTimeoutMilliSec=100) at /home/gwang/release/httpd/httpd/edio/epoll.cpp:345
#13 0x000000000045707c in EventDispatcher::run (this=0xd8d018) at /home/gwang/release/httpd/httpd/http/eventdispatcher.cpp:225
#14 0x00000000004151d3 in HttpServerImpl::start (this=0xd8cff0) at /home/gwang/release/httpd/httpd/main/httpserver.cpp:492
#15 0x00000000004183d1 in HttpServer::start (this=0x894710) at /home/gwang/release/httpd/httpd/main/httpserver.cpp:1909
#16 0x000000000040eebb in LshttpdMain::main (this=0xd8cc30, argc=1, argv=0x7fff78bd0488) at /home/gwang/release/httpd/httpd/main/lshttpdmain.cpp:1840
#17 0x000000000040a63f in main (argc=1, argv=0x7fff78bd0488) at /home/gwang/release/httpd/httpd/main.cpp:124


PLEASE help me or fix this problem
 
Top