PHP Haunted by HTTP 1.0 Max Execution

  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

For a long time now, every once in a while, I keep getting a max execution error in my PHP error log file.

Code: [ Select ]
[22-Jul-2009 14:38:08] PHP Fatal error: Maximum execution time of 30 seconds exceeded in includes\template.class.php(124) : eval()'d code on line 249


So I go to my Apache access.log file and I constantly check for whatever was requested, and I see random requests like this...

Code: [ Select ]
89.239.8.11 - - [22/Jul/2009:14:36:47 -0400] "GET /register HTTP/1.0" 200 51823
89.239.8.11 - - [22/Jul/2009:14:36:49 -0400] "GET /forumviewtopic?t=1&p=1 HTTP/1.0" 200 25661
  1. 89.239.8.11 - - [22/Jul/2009:14:36:47 -0400] "GET /register HTTP/1.0" 200 51823
  2. 89.239.8.11 - - [22/Jul/2009:14:36:49 -0400] "GET /forumviewtopic?t=1&p=1 HTTP/1.0" 200 25661


Usually it's a specific page, my registration page. I thought it was an issue on that page and I actually rewrote a lot of it, but I still get this error with my template class. I noticed it's only when these weird HTTP/1.0 requests occur though. I can't figure out what causes it.

Does anybody know if there is some sort of plugin for firefox that I can test in HTTP 1.0 with? Or anything that can help me log this better? I'm just curious what kind of bot/script is constantly querying my site causing this error, I would like to know if they are probing for exploits or something.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9088
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

I am just curious, are the requests always GET requests? If they were POST requests I would say that its possible that they are doing more than what is showing up there in the logs, but GET requests put all the variables in the actual URL so you should be able to see and duplicate what is going on.

If you have some sort of telnet or ssh application all you need to do is connect to your domain using port 80 and then put the exact request in there to duplicate the HTTP/1.0 part, a Firefox plugin would probably be much easier though if it exists.

You could also use something like this to test:

http://web-sniffer.net/

It is an online interface that I have used to duplicate user-agents or change from HTTP/1.1 to HTTP/1.0, test GET or POST requests, etc.
  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

Yeah it seems they are all GET, which is weird, because then all the variables would be passed in the URL.

I just got ANOTHER identical pair of requests exactly 12 hours later:
Code: [ Select ]
58.65.218.250 - - [23/Jul/2009:02:36:58 -0400] "GET /register HTTP/1.0" 200 49867
58.65.218.250 - - [23/Jul/2009:02:38:27 -0400] "GET /forumviewtopic?t=1&p=1 HTTP/1.0" 200 25991
  1. 58.65.218.250 - - [23/Jul/2009:02:36:58 -0400] "GET /register HTTP/1.0" 200 49867
  2. 58.65.218.250 - - [23/Jul/2009:02:38:27 -0400] "GET /forumviewtopic?t=1&p=1 HTTP/1.0" 200 25991


I tried using web-sniffer.net with both HTTP 1.0's & multiple user agents/request types and nothing triggered an error.

I guess I'm just going to log all the headers and see what I get.

Thanks
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

Shouldn't it be "http://thegzl.com/forum-view-topic?t=1&p=1" rather than "http://thegzl.com/forumviewtopic?t=1&p=1"? Maybe it's just not getting to the error page (well... /news) like it should be?

But I also didn't get anything on web-sniffer about that... seems like every user agent on both HTTP/1.0 are transferred correctly.

BTW: Are you going to put your site up for site review? I have a few things I could point you on :D
  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

Actually I already use hyphens in my URLs man and that link works (if you checked it), I switched a few weeks ago and that's funny because last night I added 404's for pages which do not exist, so spiders now know.

Check this out though, this is a list of client headers from the requests crashed that page, all from cigarette websites...
Note: I deleted part of the URLs so they don't get Ozzu traffic

Code: [ Select ]
 
Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) [Referer] => http://www.che.../Marlboro-cigarettes [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) [Referer] => http://www.bestcigaret ... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Opera/9.00 (Windows NT 4.0; U; en) [Referer] => http://bestcigarette... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461) [Referer] => http://www.cigare... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) [Referer] => http://www.bestcigarettes... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] =>
 
  1.  
  2. Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) [Referer] => http://www.che.../Marlboro-cigarettes [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
  3. Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) [Referer] => http://www.bestcigaret ... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
  4. Array ( [Accept] => */* [User-Agent] => Opera/9.00 (Windows NT 4.0; U; en) [Referer] => http://bestcigarette... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
  5. Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461) [Referer] => http://www.cigare... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] => )
  6. Array ( [Accept] => */* [User-Agent] => Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) [Referer] => http://www.bestcigarettes... [Host] => thegzl.com [Proxy-Connection] => Keep-Alive [Cookie] =>
  7.  


The ones that are bolded caused PHP errors, it's weird though because 1 was a few minutes off.

So apparently this bot with IE6 and Opera 9 crash my page? Weird.

Oh, I also put my site up for review a long long time ago, it could probably use another one I guess. I only work on it when I have time, so...
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

I mean /forum-view-topic?t=1&p=1 is correct... with hyphens it's correct. But the bot is trying to reach /forumviewtopic?t=1&p=1... without the hyphens, but I guess you got that figured out.


I wonder why all that traffic from cigarettes company. I guess I wouldn't be able to tell you the reason for the crashes, so I might as well stop sabotaging your thread :lol:
  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

Just because it requests /forumviewtopic?t=1&p=1 doesn't mean it exists. It is a list of pages that the bot is trying to request, not what is actually served. It tells you an error code that is served, but now my server serves up a 404 and redirects to pages that don't exist. Just make sure you actually visit the URL and see if it exists before you assume it does.

On my site if you try...

"forum-view-topic", it works, Apache throws 200 and you get served a forum topic page.
"forumviewtopic", the PHP script throws 404 and you get a redirect to "/"
"sldjkfsldfj", the PHP script throws 404 and you get a redirect to "/"
"" (nothing), main page is included, Apache throws 200 and it is served from server.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

PolishHurricane wrote:
Just because it requests /forumviewtopic?t=1&p=1 doesn't mean it exists.

I never said that it existed, I'm just saying that it is requesting the page that doesn't exist... does this makes sense? But like I said, you have figured it out already.
  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

Oh well I apologize, yeah the bot is just requesting the page because it once existed and it is stupid. Now my site throws a 404. It's just so weird.

Post Information

  • Total Posts in this topic: 9 posts
  • Users browsing this forum: No registered users and 74 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.