Error message: webiz.johocen.com took too long to respond.
But there is nothing wrong on GCP VM instance.
ping webiz.johocen.com got 0% lost 169ms average response
My website is a WordPress multisite on GCP via bitnami. This happened before, reset the VM will solve the problem, but will happen again sometimes later.
Any suggestion where I should look into?
Thanks
Bitnami Engineer here,
Sometimes, if you are experiencing poor performance, it is because you are being attacked by Internet bots. The reason for these attacks is that they are trying to find a security bug in your application code or in the software itself.
To know if you are being attacked, run the commands below:
cd /opt/bitnami/apache2/logs/
tail -n 10000 access_log | awk '{print $1}'| sort| uniq -c| sort -nr| head -n 10
This will show you the number of times that an IP address connected to your Web server. If you see that some IP addresses have many more connections than others, run the following command (remember to modify ATTACKER_IP with the correct IP):
cd /opt/bitnami/apache2/logs/
grep "ATTACKER_IP" access_log
If you see that the IP address is always attempting to connect to the same location, if it is a URL that you don’t know, or if it is trying to run binaries or scripts directly, it is likely that IP address is a bot.
To deny connections to these attackers, the easiest way is with your Apache configuration file. Follow these steps:
Edit the file at /opt/bitnami/apps/wordpress/conf/httpd-app.conf. The example below shows how to reject the 1.2.3.4 IP address in WordPress:
<Directory /opt/bitnami/apps/wordpress/htdocs>
deny from 1.2.3.4
...
</Directory>
Restart the Apache web server:
sudo /opt/bitnami/ctlscript.sh restart apache
More information here: https://docs.bitnami.com/google/apps/wordpress/troubleshooting/deny-connections-bots/
Related
I changed my VM instance from "F1-micro" to "E2-micro". When I then restarted my machine, I couldn't access my webpage using the domain name, the webpage just shows an "Error 521" code - showing that my browser is working, CDN is working but the host has an erorr. When I paste the VMs IP address into my webpage, however, it show's the "Apache2 Debian Default Page".
Can somebody please help me with this?
The Error 521 message is caused by one of two situations:
First, check whether your WordPress site’s server is down. Even if everything else is configured properly, if your WordPress site’s server is offline, Cloudflare simply won’t be able to connect.
Second, your web server might be running fine but blocking Cloudflare’s requests. Because of how Cloudflare works, some server-side security solutions might inadvertently block Cloudflare’s IP addresses.
Cloudflare is a reverse proxy, all the traffic coming to your origin server will appear as if it’s coming from a small range of Cloudflare IPs (rather than each individual visitor’s unique IP address). Because of that, some security solutions will view high traffic from a limited number of IP addresses as an attack and block them.
Please check this link out in order to fix error 521 for Cloudflare and WordPress.
Turns out this problem was caused by my having installed the Debian Apache server package and it is causing collisions between it and the Apache shipped in the stack. Bitnami Stacks are completely self-contained and run independently of the rest of the software or libraries installed on your system.
So to fix this, all I had to do was run the following commands:
sudo systemctl stop apache2
sudo /opt/bitnami/ctlscript.sh restart
I'm trying to set up a malware analysis lab, following the instructions found here:
https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/
In setting up inetsim to simulate internet protocols, I keep getting "http_tcp_80 - failed!" everytime I run it. Changing the port it uses in the configuration file to 8080 causes the it to work. When I run it on a different vm, the configuration works as intended.
I have apache also installed on this vm. Could it be interfering?
Edit: I just installed a new vm to try using inetsim without apache installed. HTTP is reported to be running, but now dns_53_tcp_udp is reported to be failing to start. Trying to browse web pages to bring up inetsim's default page fails, regardless of if I use the FQDN or the IP address. The only time I get the page is with localhost. Otherwise, I get server not found. At least I know its not apache.
The error I get with DNS indicates that the 0.0.0.0 ip is already in use, which doesn't make sense to me since 0.0.0.0 is being used to bind the services to all IPs. Changing the inetsim.conf file so "service_bind_address 10.0.0.0" instead of "service_bind_address 0.0.0.0" seems to run dns, but the browser on both the analysis machine and the victim machine still report no server found.
You should stop the Apache server:
service apache2 stop
It works for me.
I guess there are some other processes listening on those ports.
Use
sudo netstat -tulpn | grep LISTEN
It will print out those processes with their pid. For example, 964 is the pid of the first process in this case:
Check if something is occupying your corresponding ports. Shut them down with
sudo kill -9 <pid>
Of course, the busy processes running on those ports may not in listening states but still be able to cause such a problem. So you can check it with
sudo netstat -tulpn
just in case.
Anyway, it does work for me.
I have purchased VPS server from OVH. I have installed Vestacp, it has been more than 6 months and I'm still facing issues with server security. Sometimes my Wordpress websites get hacked, sometimes the server is slow or not responding for a whole day. I'm not able to identify issue. Someone please. help me.
Here is a basic checklist to get you started:
Download and run WPScan against your site you can obtain this here.
Change all your passwords, Since it's a virtual private server your pem file might of been compromised. So change your password for all access to the site.
Update all your plugins, I can't stress enough and I see businesses do this all the time, they don't update their plugins. Make sure you are updated to the latest wordpress version as well.
If you website is beyond repair at this time download all the files and then do a fresh install of Wordpress and restore what you can.
Invest in a SSL Certificate to encrypt your data, this will protect you and your users from MITM (man in the middle) attacks.
Update your .htaccess file with restrictions try these.
If you don't have an IDS/IPS to detect SQL injection consider installing ModSecurity, you can download that here.
Since it's a virtual private server if a backdoor has been planted you might want to consider as well doing a full wipe and restore of files you know are secure.
Close ports you don't need. If you don't use certain ports all the time close them.
Update the webserver applications, apache, mysql, and others. If you don't have the latest version you should be able to download them manually and if it's Linux just compile and run the latest source.
For all the countries that don't mean anything to your business block all of them with a country blocking plugin but make sure it's secure, the key is to do your research.
Install something like WPSecurity and limit the amount of failed logins before being locked out or having the ip address blocked for certain usernames after so many failed attempts.
If it's a Linux VPS try these commands to see what your server is up to:
#Check for remote connections
netstat -a
#Allows to monitor network usage by application
nethogs eth0
#Allows to monitor the system log for authorizations
tail -f /var/log/auth.log
#Allows to monitor firewall log
tail -f /var/log/ufw.log
#Allows to monitor packets (look for malformed ones)
tshark -i eth0
You should be doing incident response at this time more than anything since it's a VPS server. There are some great methodologies on this website that may help as well.
Hope this helps.
--lillypad
A weird error appeared that all of a sudden http://localhost:8888/... is not available. A day ago it worked perfectly fine and now I get this error although I have not installed any software, nor updated MAMP nor updated my Operating System. I have been researching all day of what could be the problem and found several answers which solved other people's problem but sadly not mine. The question is: How can I get my localhost working again?
Once I enter the IP (http://127.0.0.1:8888) the website loads, however, all my links use http://localhost:8888, which means I would have to change all the links to use the IP. There are scripts that do so, but I really want to understand the background and find the root of this problem. I have tried several things:
Changing the Apache ports to another number which can be done under MAMP Preferences. I get the same error no matter which port I change it to.
Editing my etc/hosts file in order to link 127.0.0.1 to localhost, which I really did not have to do since the code was already there. After I have done this, I opened my terminal and entered sudo killall -HUP mDNSResponder in order to flush the DNS Cache. Afterwards, I restarted my computer and annoyingly the error keeps appearing. Somehow, localhost is not linked to 127.0.0.1, which I think is comparable to when the domain name of a website is not connected to the server IP which can be configured with the Nameservers. This brings me to my third point and last point.
I looked deeper into the location and opened the "httpd.conf" file found under the path "etc/apache2/httpd.conf" where I can configure the Apache HTTP Server. I searched for any ServerName and the only code that appears is some comments describing it. This includes #ServerName www.example.com:80 and a short description before. I've tried adding a new ServerName as ServerName localhost:8888 and even simply ServerName localhost, still nothing happens.
I've tried other obvious things which are not worthy mentioning for. This seems to me either something really complex to which my knowledge does not reach or something very silly I missed out.
For the record, the etc/hosts file contains some weird addresses:
##\n# Host Database\n#\n# localhost is used to configure the loopback interface\n# when the system is booting. Do not change this entry.\n##\n127.0.0.1 localhost\n255.255.255.255 broadcasthost\n::1 localhost \nfe80::1%lo0 localhost\n\n##SYS##\n127.0.0.1 inst.shoppingate.info\n127.0.0.1 service.shoppingate.info\n127.0.0.1 indexx.org\n127.0.0.1 f.flshbsjs.info\n127.0.0.1 gsy.testersgroupfun.com\n127.0.0.1 sendmessagebox.com\n127.0.0.1 t1.inskinad.com\n127.0.0.1 q.crbfmcjs.info\n127.0.0.1 static.donation-tools.org\n127.0.0.1 istatic.datafastguru.info\n127.0.0.1 static.boostsaves.com\n127.0.0.1 www.best-deals-products.com\n127.0.0.1 fge.solartrendinc.com\n127.0.0.1 nps.pastaleads.com\n127.0.0.1 digitaloptout.com\n127.0.0.1 cdncache-a.akamaihd.net\n127.0.0.1 cdncache1-a.akamaihd.net\n127.0.0.1 rvzr-a.akamaihd.net\n127.0.0.1 rvzr2-a.akamaihd.net\n127.0.0.1 asrv-a.akamaihd.net\n127.0.0.1 cdn.visadd.com\n127.0.0.1 a.visadd.com\n127.0.0.1 ydt.winsurfingclub.com\n127.0.0.1 client.foxydeal.com\n127.0.0.1 s.hklmm.com\n127.0.0.1 i.crbsjs.info\n127.0.0.1 wwm.determineyourroad.com\n127.0.0.1 ext1.engageya.com\n127.0.0.1 ext2.engageya.com\n127.0.0.1 a.tfxiq.com\n127.0.0.1 cdn.staticwebdom.com\n127.0.0.1 api.jollywallet.com\n127.0.0.1 i_crbsjs_info.tlscdn.com\n127.0.0.1 i_flshbsjs_info.tlscdn.com\n127.0.0.1 ppj.qwikbookprint.com\n127.0.0.1 homedesigntreasure.com\n127.0.0.1 www.superfish.com\n127.0.0.1 istatic.eshopcomp.com\n64.251.22.253 shmactustus.com\n64.251.22.253 www.google-analytics.com\n##SYS##
I also tried deleting all the remaining addresses leaving only:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
But, after I restart my computer, all the old addresses I previously deleted appear again and the error is still the same. The thing is, this happened all of a sudden overnight and I did not expect this to occur. Does anybody know what is going on? I am open to any suggestions and appreciate your help. Best Regards!!
When I try to start a site in IIS it says:
the process can't access the file because it used by another process
I searched in Google and found that another site may have been using Port 80 but in MyIIS I see that only this site is using Port 80. What else could be using Port 80 or is there another issue involved?
Check using netstat -aon or netstat -aon | findstr 0.0:80 in a command prompt to see which Process Id is LISTENING to port :80 and then watch for that Process Id (PID) in Task Manager with view->select columns-> process id checked. End that process, restart IIS and you are done. (Note: if you have Skype installed, try exiting that process first.)
In a modern Task Manager, you need to go on the Details tab to search for the PID. Or, as mentioned by #Nikita G in the comments, you can use this command to find the task from your command prompt:
tasklist /FI "PID eq 123"
Note: change 123 with the PID returned from the first command.
It is happening because a different process is using port 80, it may be a chat application on your PC like Skype.
First, change the default web site port which was 80 to some unused port (e.g. 8087). To achieve this right click the application and then click on 'Edit Binding'.
After this port change restart again.
Now you can identify which process is blocking the IIS Port 80. To check this use netstat command which displays the details of port along with the process ID.
Sign out of Skype and try again. I have experienced the same issue and I just logged out of Skype and then reset my IIS. It worked for me.
You can also run this command to find out which application or service is using the port and then trace it down in Task manager (Provided it's not the Web Deploy Agent Service).
netstat -o -n -a | findstr 0.0:80
Then open Task manager, go to Processes, click the "Show processes for all users" checkbox and then click the View menu and Go to the Columns, add the PID column.
Match the Process ID from the netstat command to the PID in task manager and you will find the service or application that's using the port.
As others have said, something else may be using port 80 or 443. It was VMWare Workstation Server for me, but check other answers for how to use netstat.
I think this link gives a pretty good explanation and fix of this problem http://support.microsoft.com/KB/890015
Most of the time; it's caused by one of the two reasons:
1) port 80 is being used by something else and as suggested by others you can use netstat -o -n -a |findstr 0.0:80 to see whether this is the case. If yes then kill the process from task manager (tick show processes from all users)
2) if port 80 is not used, the second cause is potentially an invalid ip address in the ListenOnlyList filed in the registry key of HTTP->Parameters. If you follow the link to set the key manually or in fact you can use (xp and server 2003) httpcfg delete iplisten -i ipaddress to delete the invalid ip address.
You must restart the http once you edit the ipaddress!
In my case, it was the "Sync Share Service" (SyncShareSvc) that was running and using port 80.
netstat showed 80 as free, though. I could get the site to run on another port, but not 80. if I added a Host name, IIS would allow me to start the site, but I'd get prompted for Digest authentication when browsing to localhost (or any host name I added). Only Anonymous and Forms Auth were enabled in IIS...
I also found that, after stopping IIS, http://localhost still prompted me for Digest authentication.
The solution - in my case - was to remove File and Storage Services > Files and iSCSI Services >
"Work Folders" from the services installed (restart required).
After removing the "Work Folders" service and restarted, IIS worked as expected.
My case was after installing RD Web Access, the original default websites couldn't be started. Removed the RD Web Access role still same. Removed port 443 binding solved the issue.
Most times when this happens by web developers is the reason apache, so if you go to the config file from apache! open it up and search with ctrl + f to 80 and change the ip you will see to 8080 and the sentence beneath there with 80 to 8080 and you need to confige that in you xampp, or the program u are using currently
Hope I'll help u guys out
In order to get more meaningful information, one way is to also get ownership information when issuing netstat so that you know the process which is using either 80 (default http binding) or 443 (if https binding is defined):
netstat -ab
In my case the culprit was vmware:
TCP 0.0.0.0:443 ComputerName:0 LISTENING
[vmware-hostd.exe]
netstat can be piped into find to search for ports 80 or 443 (e.g. find ":443"), but these particular active connection will show at the beginning of the list at they are easy to see.