[Solved] Suspended: dl5ark

[dl5ark1]

I have renamed all paths to php files and also the php files on the root. PHP can no longer generate a load. We are still waiting until 00:00 UTC to restart. In the meantime, you are welcome to take a look at my logs to see whether you can see any indication of today's load.

[Krydos]

You are getting hit by a lot of bots looking to hack Wordpress installs. Obviously you don't actually have a Wordpress install though so they're all getting 404 errors. Do you have a custom 404 page that is served by php perhaps?

[Krydos]

That's a lot of bot hits. Any idea what "empty user agent string" could be? Unless you know what that is it's probably malicious because respectable bots identify themselves.

[Krydos]

If you want to block the "empty user agent string" bots you can do so by putting this in your .htaccess

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ - [F,L]

[dl5ark1]

I don't have a custom 404 error page.

The suspendedpage is currently called in the existing .htaccess.

[dl5ark1]

In the folders under homedir\tmp\pma_template_compiles_dl5ark\twig are some *.php Files which I don't know. Is this normal?

[Krydos]

In the folders under homedir\tmp\pma_template_compiles_dl5ark\twig are some *.php Files which I don't know. Is this normal?

I think those are temporary files that are created when you use phpmyadmin. Have you been using phpmyadmin?

[dl5ark1]

Yes, i use phpmyadmin.

[dl5ark1]

Can we create a wordpress directory and revoke access to it? Maybe this will stop the access to the non-existent Wordpress installation?

[Krydos]

Well, the load is coming from php for sure. Unless you're using a custom error page that points all 404 requests to a php script, that probably isn't the cause of your high load. Without a custom error page apache just handles 404 errors on its own which causes very little load.

 

I think you should block some of the bots, especially the "empty user agent string" bots, using .htaccess like I suggested. Unless you know what they are for sure I would say that wget, fetcher, obot, and old firefox versions should probably be blocked too.

[dl5ark1]

After every change in .htaccess I get

###

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at webmaster@dl5ark.heliohost.org to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

###

I have now restored the .htaccess for the suspendedpage.

Can you write the .htaccess for "empty user agent string"? wget I am myself.

[dl5ark1]

empty user agent string:

Hits 24,920

Bandwidth 3.29 MB

Can this bandwidth really be responsible for 100% CPU and memory usage?

[Krydos]

Depends on what the php script does. I could easily write a php script with less than 10 lines of code that gobbles up 512 MB of memory and pegs the cpu at 100% for 60 seconds and then only outputs 15 bytes of bandwidth.

[Krydos]

Ok, I set up your .htaccess for you. I made it a little more elegant than my simple example above.

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteCond %{REQUEST_URI} !ua.html$
RewriteRule ^(.*)$ http://dl5ark.heliohost.org/ua.html [R=301,L]

and ua.html is this

Please provide a non-blank user agent to access this site.

That way the blank user agent bots will have a useful error, and can change their bot to continue accessing your site if they want to.

 

Thanks for being so responsive, and trying so hard to fix this issue, by the way.

[Krydos]

Looks like blocking the blank user agent bots did the trick. We're almost three hours into the new day, and your account load is basically zero.