Results 1 to 6 of 6
  1. #1
    Join Date
    Jun 2010

    Drupal site makes server down


    one of cpanel client in our vps having a drupal 7 site getting tons of spam comments and they were blocked by mode_sec in real time. i could see mode sec is blocking a comment in every few seconds for that site.

    but the problem is, that site is using high resources and time to time the server goes down by sending "High 15 minute load average alert - 38.42", "HANG: chkservd on host..." messages.

    now when i complain the user to protect his site from spam, he replies that he has captcha in place.

    i am confused now.

    here is a sample modesec log

    Code:	981243	[06/Nov/2013:06:33:29 --0600]  
    Pattern match "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor ..." at ARGS:comment_body[und][0][value]. [file "/usr/local/apache/conf/modsec_owasp_sql_inject.conf"] [line "245"] [id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data "Matched Data: \x80\x81\xe4\xb8\x96\xe7\x95\x8c\xe3\x81\xae\xe5\x8a\x9b\xe3\x82\x92\xe5\x90\xb8\xe5\x8f\x8e\xe3\x81\x97\xe3\x81\xa6\xe8\xa1\x8c\xe3\x81\x8d\xe3\x81\x9f\xe3\x81\x84\xe3\x81\xa8\xe6\x80\x9d\xe3\x81\xa3\xe3\x81\xa6.\xe8\x8a\xb1\xe3\x81\xa8\xe8\xb2\xb4\xe8\xb3\x93\xe7\xa5\xa8\xe3\x82\x92\xe3\x81\x93\xe3\x81\xa8\xe3\x81\x8b\xe3\x82\x89\xe5\xbd\xbc\xe3\x82\x89\xe3\x82\x92\xe9\x9b\xa2\xe3\x82\x8c\xe3\x81\xbe\xe3\x81\x97\xe3\x81\x9f\xe3\x81\x8b\xe3\x80\x81\xe3\x81\x9d\xe3\x82\x8c\xe3\x82\x82\xe3\x..."] [severity "CR
    [06/Nov/2013:06:33:29 --0600] Uno3GK3HudQAAFiI0fgAAAAH 51174 80
    POST /comment/reply/30 HTTP/1.0
    Accept: */*
    User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.11
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 7824
    Pragma: no-cache
    Cookie: DvForum+8%2E2%5Fwww%2Echinarcm%2Ecom%2Ecn=StatUserID=192194503213; ASPSESSIONIDSSTADSQT=PDIPIPABOKNKFHICNMKALCMP
    name=Trermerlody&;comment_body[und][0][value] 81%86%E3%81%93&comment_body[und][0][format]=filtered_html&form_build_id=form-3ZgE1gTzf9Ctoyln1NPjXh_-RYmKu2uEGxoDXfUVWd4&form_id=comment_node_article_form&amp;captcha_sid=1387034&captcha_token=3eb57dbb687ba791e75ab95cbec6e6a9&captcha_response=%21UNKNOWN_TYPE%21&op=Save
    HTTP/1.1 406 Not Acceptable
    X-Powered-By: PHP/5.2.17
    X-Drupal-Cache: MISS
    Expires: Sun, 19 Nov 1978 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
    ETag: "1383741208"
    Content-Language: en
    X-Generator: Drupal 7 (
    Last-Modified: Wed, 06 Nov 2013 12:33:28 GMT
    Vary: Accept-Encoding
    Connection: close
    Content-Type: text/html; charset=utf-8
    Message: Access denied with code 406 (phase 2). Pattern match "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor ..." at ARGS:comment_body[und][0][value]. [file "/usr/local/apache/conf/modsec_owasp_sql_inject.conf"] [line "245"] [id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data "Matched Data: \x80\x81\xe4\xb8\x96\xe7\x95\x8c\xe3\x81\xae\xe5\x8a\x9b\xe3\x82\x92\xe5\x90\xb8\xe5\x8f\x8e\xe3\x81\x97\xe3\x81\xa6\xe8\xa1\x8c\xe3\x81\x8d\xe3\x81\x9f\xe3\x81\x84\xe3\x81\xa8\xe6\x80\x9d\xe3\x81\xa3\xe3\x81\xa6.\xe8\x8a\xb1\xe3\x81\xa8\xe8\xb2\xb4\xe8\xb3\x93\xe7\xa5\xa8\xe3\x82\x92\xe3\x81\x93\xe3\x81\xa8\xe3\x81\x8b\xe3\x82\x89\xe5\xbd\xbc\xe3\x82\x89\xe3\x82\x92\xe9\x9b\xa2\xe3\x82\x8c\xe3\x81\xbe\xe3\x81\x97\xe3\x81\x9f\xe3\x81\x8b\xe3\x80\x81\xe3\x81\x9d\xe3\x82\x8c\xe3\x82\x82\xe3\x..."] [severity "CR
    Action: Intercepted (phase 2)
    Stopwatch: 1383741208231591 1154805 (- - -)
    Stopwatch2: 1383741208231591 1154805; combined=89986, p1=1, p2=89966, p3=0, p4=0, p5=18, sr=0, sw=1, l=0, gc=0
    Producer: ModSecurity for Apache/2.7.4 (
    Server: Apache
    Engine-Mode: "ENABLED"
    pls tell how to get rid of this situation.

  2. #2
    Join Date
    Dec 2007
    You can suggest few steps to your client to optimize and protect Drupal website, like:

    1) Enable capcha, hidden captcha, Honeypot

    2) Enable compression and cache from:
    Drupal Administration >> Configuration >> Development >> Performance
    3) Create and assign 404, 403 error pages from:
    Drupal Administration >> Configuration >> System
    4) Use a light weight theme.

    5) Use minimum modules. Avoid use of unnecessary modules.

    6) Compress content from cPanel

    8) Use a Drupal cache module like
    YagHost - Pure SSD Hosting | Since 2007 | Average Response Time: 15 min
    Web Hosting | Reseller Hosting | Managed VPS Hosting
    99.9% Server Uptime Guarantee | 24/7 Rapid Response Tech Support | 30 Day Money Back Guarantee - Web Hosting Tutorials

  3. #3
    Join Date
    Mar 2005
    A brute-force attack on any CMS will not be slowed down by a captcha - as this still requires considerable server resources to answer all the queries.

    Best thing to reduce resource usage is to change the admin path and put up a 404 page.
    CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
    Running Linux since 1.0.8 Kernel!
    Providing Internet Services since 1995 and Hosting Since 2004

  4. #4
    Join Date
    Jun 2010
    Thanks guys, i have taken your suggessions to the site developer.
    ill get back to you with the results.

  5. #5

  6. #6
    Join Date
    Jun 2010
    Quote Originally Posted by bg2k View Post
    Page not found
    The requested page "/project/image_captcha" could not be found.

    But the developer sad he has put captcha
    problem is it is getting tons of hits.

Similar Threads

  1. Replies: 0
    Last Post: 08-22-2008, 11:35 PM
  2. Site Stats.. Will Server make it?
    By catfishing in forum Web Hosting Lounge
    Replies: 4
    Last Post: 05-29-2003, 06:07 AM
  3. Very small site or co-lo server? We make it affordable!
    By Tina J in forum Shared Hosting Offers
    Replies: 0
    Last Post: 05-23-2001, 06:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts