Suspicious File Alert

Discussion in 'Bug Reports' started by pooyan, Aug 4, 2012.

  1. pooyan

    pooyan Well-Known Member

    Time: Sat Aug 4 17:32:04 2012 +0430
    File: /tmp/lshttpd/bak_core/core.8724
    Reason: Linux Binary
    Owner: nobody:nobody (99:99)
    Action: Moved into /etc/csf/suspicious.tar

    I receive this email every ~5minutes
    When i Switch to apache i not receive this email,
  2. pooyan

    pooyan Well-Known Member

    Can you please help me?
  3. webizen

    webizen Well-Known Member

  4. pooyan

    pooyan Well-Known Member

    need i install again lsws ?
  5. webizen

    webizen Well-Known Member

    Not the same package but the dbg counterpart.
  6. pooyan

    pooyan Well-Known Member

    How do I use this file?
    What should I do?
  7. webizen

    webizen Well-Known Member

    Here are the steps:

    1. download and install the package

      tar zxf lsws-4.1.13-ent-x86_64-linux-dbg.tar.gz​
      cd lsws-4.1.13​
      Note: choose 'U' for upgrade when prompted and default for the rest.​
    2. remove old core files
      rm /tmp/lshttpd/bak_core/*​
    3. send new core (or new /etc/csf/suspicious.tar) to bug@ when it generates.
  8. pooyan

    pooyan Well-Known Member

    Would you like to Upgrade, Reinstall or Change directory [U/r/c]? U

    [ERROR] Sorry, installation will abort without a valid license key.

    For evaluation purpose, please obtain a trial license key from our web
    site, copy it to this directory
    and run Installer again.

    If a production license has been purchased, please copy the serial number
    from your confirmation email to this directory and run Installer again.

    Please remember to set ftp to BINARY mode when you ftp trial.key from
    another machine.
  9. webizen

    webizen Well-Known Member

    remove any trial.key and verify your license key. if no issue, do the upgrade again.
  10. pooyan

    pooyan Well-Known Member

    Problem still hero.
    Please help me,
  11. NiteWave

    NiteWave Administrator

    please continue monitoring the server.
    report if any new issue.
  12. skyknight

    skyknight Member

    i'm having same issue,

    Litespeed Web Server Enterprise v4.2.1

    Time: Tue Jan 29 10:26:33 2013 +0700
    File: /tmp/lshttpd/bak_core/core.579774
    Reason: Linux Binary
    Owner: nobody:nobody (99:99)
  13. pooyan

    pooyan Well-Known Member

    Maybe problem fixed
    Thank you!
  14. webizen

    webizen Well-Known Member

    install debug version of lsws 4.2.1 (see steps in the earlier post) and send us the bt (backtrace).
  15. pooyan

    pooyan Well-Known Member

    The problem is still not resolved.
    Please fix it. SSH access not changed

    + 10000 email.

    Time: Sun Feb 10 10:09:04 2013 +0330
    File: /tmp/lshttpd/bak_core/core.16462
    Reason: Linux Binary
    Owner: nobody:nobody (99:99)
    Action: Moved into /etc/csf/suspicious.tar
  16. NiteWave

    NiteWave Administrator

    run "top -c":
    I killed the process by
    #kill 27128

    like I did last time. please see if email still coming in.

    please try to upgrade to 4.2.2 manually. it fixed a few mod_security bugs and likely including yours.

    #cd /usr/local/lsws/admin/misc
    #./ -v 4.2.2
  17. pooyan

    pooyan Well-Known Member

    Thank you very much for answer
    I upgraded lsws to 4.2.2 and restarted server but still problem not resolved!
    Also i received this email

    Sub: Web server *** on *** is automatically restarted
    Body: At [10/Feb/2013:01:57:11 +0330], web server with pid=16462 received unexpected signal=11, a core file is created. A new instance of web server will be started automatically!

    Please forward the following debug information to

    Server: LiteSpeed/4.2.1 Enterprise
    OS: Linux
    Release: 2.6.32-279.19.1.el6.x86_64
    Version: #1 SMP Wed Dec 19 07:05:20 UTC 2012
    Machine: x86_64

    If the call stack information does not show up here, please compress and forward the core file located in /tmp/lshttpd/.

    [New Thread 16462]
    [New Thread 16463]
    [New Thread 16464]
    [Thread debugging using libthread_db enabled]
    Core was generated by `litespeed'.
    Program terminated with signal 11, Segmentation fault.
    #0 0x0000000000418ace in HttpBuf::size (this=0x5fe8f87d8b48f075) at /home/gwang/release/httpd/httpd/http/httpbuf.h:55
    in /home/gwang/release/httpd/httpd/http/httpbuf.h
    #0 0x0000000000418ace in HttpBuf::size (this=0x5fe8f87d8b48f075) at /home/gwang/release/httpd/httpd/http/httpbuf.h:55
    #1 0x0000000000462c90 in SecRuleRangeList::append (this=0xd904d8, rhs=...) at /home/gwang/release/httpd/httpd/http/secrule.h:615
    #2 0x000000000047fc39 in HttpReq::setSecRemoveID (this=0x146a448, pList=0xd904d8) at /home/gwang/release/httpd/httpd/http/httpreq.cpp:4565
    #3 0x000000000049f76b in SecEngine::execute (this=0xd90420, pRuleSets=0xe91780, pConn=0x146a3a0, phase=32, scanPost=0) at /home/gwang/release/httpd/httpd/http/secengine.cpp:883
    #4 0x00000000004bde5c in HttpConnection::processModSecRules (this=0x146a3a0, phase=32) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:207
    #5 0x00000000004bdf11 in HttpConnection::nextRequest (this=0x146a3a0) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:223
    #6 0x00000000004c2d49 in HttpConnection::writeComplete (this=0x146a3a0) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:2203
    #7 0x00000000004c2e21 in HttpConnection::doWrite (this=0x146a3a0, aioSent=0) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:2225
    #8 0x00000000004c2fcb in HttpConnection::eek:nWriteEx (this=0x146a3a0) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:2283
    #9 0x000000000046bf8d in HttpIOLink::doWrite (this=0x146a3a0) at /home/gwang/release/httpd/httpd/http/httpiolink.h:162
    #10 0x000000000046a9a4 in HttpIOLink::eek:nWriteT (pThis=0x146a3a0) at /home/gwang/release/httpd/httpd/http/httpiolink.cpp:913
    #11 0x0000000000469173 in HttpIOLink::handleEvents (this=0x146a3a0, evt=4) at /home/gwang/release/httpd/httpd/http/httpiolink.cpp:180
    #12 0x00000000005044ab in epoll::waitAndProcessEvents (this=0xdb4d70, iTimeoutMilliSec=100) at /home/gwang/release/httpd/httpd/edio/epoll.cpp:345
    #13 0x000000000045707c in EventDispatcher::run (this=0xd8d018) at /home/gwang/release/httpd/httpd/http/eventdispatcher.cpp:225
    #14 0x00000000004151d3 in HttpServerImpl::start (this=0xd8cff0) at /home/gwang/release/httpd/httpd/main/httpserver.cpp:492
    #15 0x00000000004183d1 in HttpServer::start (this=0x894710) at /home/gwang/release/httpd/httpd/main/httpserver.cpp:1909
    #16 0x000000000040eebb in LshttpdMain::main (this=0xd8cc30, argc=1, argv=0x7fff78bd0488) at /home/gwang/release/httpd/httpd/main/lshttpdmain.cpp:1840
    #17 0x000000000040a63f in main (argc=1, argv=0x7fff78bd0488) at /home/gwang/release/httpd/httpd/main.cpp:124

    PLEASE help me or fix this problem
  18. NiteWave

    NiteWave Administrator

    this email was sent out 1 day ago, it's about bug for lsws 4.2.1.
    since you have upgraded to 4.2.2, should be no 4.2.1 related bug report any more.

Share This Page