Back To Programming / Scripting / Coding Forum

PHP Haunted by HTTP 1.0 Max Execution

PolishHurricane
Mastermind
Joined: Feb 17, 2005
Posts: 1585
Status: Offline

July 22nd, 2009, 4:22 pm

For a long time now, every once in a while, I keep getting a max execution error in my PHP error log file.

Code: [ Select ]

[22-Jul-2009 14:38:08] PHP Fatal error: Maximum execution time of 30 seconds exceeded in includes\template.class.php(124) : eval()'d code on line 249

So I go to my Apache access.log file and I constantly check for whatever was requested, and I see random requests like this...

Code: [ Select ]

89.239.8.11 - - [22/Jul/2009:14:36:47 -0400] "GET /register HTTP/1.0" 200 51823
89.239.8.11 - - [22/Jul/2009:14:36:49 -0400] "GET /forumviewtopic?t=1&p=1 HTTP/1.0" 200 25661

89.239.8.11 - - [22/Jul/2009:14:36:47 -0400] "GET /register HTTP/1.0" 200 51823
89.239.8.11 - - [22/Jul/2009:14:36:49 -0400] "GET /forumviewtopic?t=1&p=1 HTTP/1.0" 200 25661

Usually it's a specific page, my registration page. I thought it was an issue on that page and I actually rewrote a lot of it, but I still get this error with my template class. I noticed it's only when these weird HTTP/1.0 requests occur though. I can't figure out what causes it.

Does anybody know if there is some sort of plugin for firefox that I can test in HTTP 1.0 with? Or anything that can help me log this better? I'm just curious what kind of bot/script is constantly querying my site causing this error, I would like to know if they are probing for exploits or something.

There's no place like 127.0.0.1, badass part is now it's ::1

Anonymous
Bot
- www.ozzu.com
Joined: 25 Feb 2008
Posts: ?
Loc: Ozzuland
Status: Online

July 22nd, 2009, 4:22 pm

Bigwebmaster
Site Admin
Joined: Dec 20, 2002
Posts: 8934
Loc: Seattle, WA & Phoenix, AZ
Status: Offline

July 22nd, 2009, 4:41 pm

I am just curious, are the requests always GET requests? If they were POST requests I would say that its possible that they are doing more than what is showing up there in the logs, but GET requests put all the variables in the actual URL so you should be able to see and duplicate what is going on.

If you have some sort of telnet or ssh application all you need to do is connect to your domain using port 80 and then put the exact request in there to duplicate the HTTP/1.0 part, a Firefox plugin would probably be much easier though if it exists.

You could also use something like this to test:

http://web-sniffer.net/

It is an online interface that I have used to duplicate user-agents or change from HTTP/1.1 to HTTP/1.0, test GET or POST requests, etc.

Ozzu Hosting - Want your website on a fast server like Ozzu?

PolishHurricane
Mastermind
Joined: Feb 17, 2005
Posts: 1585
Status: Offline

July 23rd, 2009, 2:09 pm

Yeah it seems they are all GET, which is weird, because then all the variables would be passed in the URL.

I just got ANOTHER identical pair of requests exactly 12 hours later:

Code: [ Select ]

58.65.218.250 - - [23/Jul/2009:02:36:58 -0400] "GET /register HTTP/1.0" 200 49867
58.65.218.250 - - [23/Jul/2009:02:38:27 -0400] "GET /forumviewtopic?t=1&p=1 HTTP/1.0" 200 25991

58.65.218.250 - - [23/Jul/2009:02:36:58 -0400] "GET /register HTTP/1.0" 200 49867
58.65.218.250 - - [23/Jul/2009:02:38:27 -0400] "GET /forumviewtopic?t=1&p=1 HTTP/1.0" 200 25991

I tried using web-sniffer.net with both HTTP 1.0's & multiple user agents/request types and nothing triggered an error.

I guess I'm just going to log all the headers and see what I get.

Thanks

There's no place like 127.0.0.1, badass part is now it's ::1

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8212
Loc: USA
Status: Offline

July 23rd, 2009, 2:38 pm

Shouldn't it be "http://thegzl.com/forum-view-topic?t=1&p=1" rather than "http://thegzl.com/forumviewtopic?t=1&p=1"? Maybe it's just not getting to the error page (well... /news) like it should be?

But I also didn't get anything on web-sniffer about that... seems like every user agent on both HTTP/1.0 are transferred correctly.

BTW: Are you going to put your site up for site review? I have a few things I could point you on

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

PolishHurricane
Mastermind
Joined: Feb 17, 2005
Posts: 1585
Status: Offline

July 24th, 2009, 9:17 am

Actually I already use hyphens in my URLs man and that link works (if you checked it), I switched a few weeks ago and that's funny because last night I added 404's for pages which do not exist, so spiders now know.

Check this out though, this is a list of client headers from the requests crashed that page, all from cigarette websites...
Note: I deleted part of the URLs so they don't get Ozzu traffic

Code: [ Select ]

Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) [Referer] => http://www.che.../Marlboro-cigarettes [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) [Referer] => http://www.bestcigaret ... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Opera/9.00 (Windows NT 4.0; U; en) [Referer] => http://bestcigarette... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461) [Referer] => http://www.cigare... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) [Referer] => http://www.bestcigarettes... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] =>

Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) [Referer] => http://www.che.../Marlboro-cigarettes [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) [Referer] => http://www.bestcigaret ... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Opera/9.00 (Windows NT 4.0; U; en) [Referer] => http://bestcigarette... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461) [Referer] => http://www.cigare... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) [Referer] => http://www.bestcigarettes... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] =>

The ones that are bolded caused PHP errors, it's weird though because 1 was a few minutes off.

So apparently this bot with IE6 and Opera 9 crash my page? Weird.

Oh, I also put my site up for review a long long time ago, it could probably use another one I guess. I only work on it when I have time, so...

There's no place like 127.0.0.1, badass part is now it's ::1

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8212
Loc: USA
Status: Offline

July 24th, 2009, 10:08 am

I mean /forum-view-topic?t=1&p=1 is correct... with hyphens it's correct. But the bot is trying to reach /forumviewtopic?t=1&p=1... without the hyphens, but I guess you got that figured out.

I wonder why all that traffic from cigarettes company. I guess I wouldn't be able to tell you the reason for the crashes, so I might as well stop sabotaging your thread :lol:

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

PolishHurricane
Mastermind
Joined: Feb 17, 2005
Posts: 1585
Status: Offline

July 24th, 2009, 10:29 am

Just because it requests /forumviewtopic?t=1&p=1 doesn't mean it exists. It is a list of pages that the bot is trying to request, not what is actually served. It tells you an error code that is served, but now my server serves up a 404 and redirects to pages that don't exist. Just make sure you actually visit the URL and see if it exists before you assume it does.

On my site if you try...

"forum-view-topic", it works, Apache throws 200 and you get served a forum topic page.
"forumviewtopic", the PHP script throws 404 and you get a redirect to "/"
"sldjkfsldfj", the PHP script throws 404 and you get a redirect to "/"
"" (nothing), main page is included, Apache throws 200 and it is served from server.

There's no place like 127.0.0.1, badass part is now it's ::1

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8212
Loc: USA
Status: Offline

July 24th, 2009, 10:44 am

PolishHurricane wrote:

Just because it requests /forumviewtopic?t=1&p=1 doesn't mean it exists.

I never said that it existed, I'm just saying that it is requesting the page that doesn't exist... does this makes sense? But like I said, you have figured it out already.

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

PolishHurricane
Mastermind
Joined: Feb 17, 2005
Posts: 1585
Status: Offline

July 24th, 2009, 12:54 pm

Oh well I apologize, yeah the bot is just requesting the page because it once existed and it is stupid. Now my site throws a 404. It's just so weird.

There's no place like 127.0.0.1, badass part is now it's ::1

Page 1 of 1

To Reply to this topic you need to LOGIN or REGISTER. It is free.

Post Information

Total Posts in this topic: 9 posts
Users browsing this forum: No registered users and 100 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

PHP Haunted by HTTP 1.0 Max Execution

Post Information

Sponsored Links

Other Languages

Website Development

Graphics

OS & Hardware

Internet Marketing

Marketplace

Community Area

Ozzu Maintenance

Forum Network

Forum Partners

Other Information