ID: 14372 Updated by: daniel Reported By: [EMAIL PROTECTED] Status: Bogus Bug Type: Apache related Operating System: FreeBSD 4.4-Stable PHP Version: 4.0.6 New Comment:
disable this functions will make PHP useless and disabling these functions in PHP doesn't prevent your customers from doing the same thing in Perl or C. What you experienced was a standard DoS attack, thus the problem should be solved at apache level. Limiting the number of connections per IP sounds like a good idea, doesn't it? mod_throttle looks like a good solution: http://www.snert.com/Software/mod_throttle/index.shtml "Request" combined with "ThrottleClientIP" should solve your problem (although I have never tested this module). an alternative would be to limit the number of connections a virtual host can receive: http://httpd.apache.org/docs/mod/core.html#maxclients .. which would only give a limited amount of protection, because the potential hacker would just DoS many virtual hosts at the same time. Kind Regards, Daniel Lorch Previous Comments: ------------------------------------------------------------------------ [2001-12-09 13:17:25] [EMAIL PROTECTED] Just to add to this. The way to fix it at the ISP level is to simply put "disable_functions = fsockopen" in your php.ini file. Also make sure you turn off "allow_url_fopen" since this feature can also be used to do something like this. ------------------------------------------------------------------------ [2001-12-07 03:18:28] [EMAIL PROTECTED] You just can't fix this issue without prohibiting to call fsockopen(). Think yourself again, how can this be fixed? You can disallow http open_wrappers for sure. The real fix is to remove the user. There's no bug and nothing to fix -> Bogus. ------------------------------------------------------------------------ [2001-12-07 02:33:08] [EMAIL PROTECTED] We have had users on our system using their PHP scripts to take down our Apache servers. The script uses fsockopen() to call the page that issues the fsockopen() function. When the script calls itself the sever gets into a loop of death, spawning as many connections as httpd.conf will allow. Any incoming connections from then on just hang and all the websites hosted on that machine are down. Here is and script that uses this problem to attack Apache. <?php $fp = fsockopen ($HTTP_HOST, $SERVER_PORT, $errno, $errstr, 30); if (!$fp) { echo "$errstr ($errno)<br>\n"; } else { fputs ($fp, "GET $REQUEST_URI HTTP/1.0\r\nHost: $HTTP_HOST\r\n\r\n"); while (!feof($fp)) { echo fgets ($fp,128); } fclose ($fp); } ?> Please fix this. We really had a hard time finding the person responsible for doing this. They had the script in their home "public_html" directory and the only clue we had was that in the Apache logs it was always the last page accessed before the server freaked out and spawned over 150 Apache processes. Thanks, pHil Cogbill 3iem.net ------------------------------------------------------------------------ Edit this bug report at http://bugs.php.net/?id=14372&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]