litespeed hacked?

[AndrewT]

Now the notifications are telling us to upgrade to 4.0.15 when we already have

 

[MikeDVB]

Now the notifications are telling us to upgrade to 4.0.15 when we already have

I believe George released an updated 4.0.15

 

[robfrew]

Please inform when 4.1RC build with fix is released, thank you.

 

[mistwang]

4.1RC3 build is available for download, just change the version number in the download link. Also 4.1RC2 package has been updated as well, just in case serious bug introduced in 4.1RC3.
We still have some features to be added to 4.1RC3, so it is not final yet.

 

[robfrew]

4.1RC3 build is available for download, just change the version number in the download link. Also 4.1RC2 package has been updated as well, just in case serious bug introduced in 4.1RC3.
We still have some features to be added to 4.1RC3, so it is not final yet.

Tried using RC3 and after install and restart, received 503 errors immediately.

 

[mistwang]

503 error from PHP script or something else?
Can you send me the log file for analysis?

 

[robfrew]

503 error from PHP script or something else?
Can you send me the log file for analysis?

Not sure, I couldn't get into the admin panel and all the sites had 503 errors so I re-installed the patched RC2.

 

[robfrew]

503 error from PHP script or something else?
Can you send me the log file for analysis?

I just tried accessing the control panel from RC2 and I cannot, I get this error message now:

The connection to www.xxxxxx.com:10001 was interrupted while the page was loading.

 

[robfrew]

503 error from PHP script or something else?
Can you send me the log file for analysis?

Looked at error log file and saw this after installing RC3:

2010-06-16 07:34:36.586 [ERROR] execve() failed with errno=14, when try to start Fast CGI application: /opt/lsws/bin/httpd -n 20!

Cannot find why RC2 will not allow me to get into the Control Panel.

 

[robfrew]

It looks like I cannot get into any secure (https) areas of any website running the patched RC2. That is why I cannot get into the control panel because it resides on a secure setup. I had to load the original RC2 to get my secure sites to work again.

 

[robfrew]

Any updates or fixes for this yet?

 

[mistwang]

Have updated RC2 to address the https issue.
which edition are you using? i386 or x86_64? want to address the issue with 4.1RC3

 

[robfrew]

Have updated RC2 to address the https issue.
which edition are you using? i386 or x86_64? want to address the issue with 4.1RC3

We are using x86_64.

 

[robfrew]

Have updated RC2 to address the https issue.
which edition are you using? i386 or x86_64? want to address the issue with 4.1RC3

Looking forward to RC3.

 

[luky]

This filter do not work for 4.0.10

GET /index.php
2010-07-21 01:38:07.676 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Find context with URI: [/], location: [/home/www/domains/MY-DOMAIN.com/html/]
2010-07-21 01:38:07.676 [DEBUG] [HTAccess] Updating configuration file [/home/www/domains/MY-DOMAIN.com/html/.htaccess]
2010-07-21 01:38:07.676 [INFO] [HTAccess] Updating configuration from [/home/www/domains/MY-DOMAIN.com/html/.htaccess]
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Find .htaccess context with URI: [/], location: [/home/www/domains/MY-DOMAIN.com/html/]
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] processContextPath() return 0
2010-07-21 01:38:07.677 [INFO] [184.193.59.46:59568-0#MY-DOMAIN.com] no request variables, skip ruleset: XSS attack
2010-07-21 01:38:07.677 [INFO] [184.193.59.46:59568-0#MY-DOMAIN.com] no request variables, skip ruleset: SQL Injection attack
2010-07-21 01:38:07.677 [INFO] [184.193.59.46:59568-0#MY-DOMAIN.com] [SECURITY] match [REQUEST_URI] against pattern [\x00], result: 1
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] readyCacheData() return 0
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Written to client: 453
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] m_pHandler->onWrite() return 0
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] HttpConnection::flush()!
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] HttpConnection::nextRequest()!
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Non-KeepAlive, CLOSING!
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] processNewReq() return 0.
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Shutting down out-bound socket ...
2010-07-21 01:38:07.792 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] HttpIOLink::handleEvents() events=17!
2010-07-21 01:38:07.792 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Close socket ...

screenshot from admin panel Request Filter
grab.by/grabs/6082dddb30bf07cfe7fb187fe2e721de.png

 

[NiteWave]

best to upgrade to 4.0.15

 

[luky]

I know, but it has turned out to force to work for me

Action:log,deny,status:403

 

[J.T.]

Couple of questions regarding this.

1. How can we check whether the server may have already been compromised before upgrading or applying the mod sec rule?

2. If we don't log in to the LSWS admin UI we wouldn't know there's an update. Even if we did, it doesn't exactly highlight the update as urgent/crucial. Some updates recently were just for some control panel integration so I waited on those. It would be really handy if there was an RSS feed to monitor this type of news (without having to subscribe to every forum thread, then filter them). I don't see a feed on the news items, which would have been perfect. Can you please consider this point and let us know how best to be fed updates?