2009-08-03, 05:46 PM
I was hesitant to post this on here only because it may or may not be my hosts problem. So I look to you guys for help.
I've been getting A LOT of the "500 Internal Server Error" over the past few weeks. I do the usual thing, send in my support ticket. Eventually my host gets back to me and they say everything seem to be loading OK. Which it wasn't when I submitted the ticket. That's it, no explanation as to why I was down. My crappy hosts response time is horrible but that's another issue. When it is back online the links sometimes take 8-30 seconds to load.
Awhile back I posted this thread. The conclusion of that was somehow my /cache folder was renamed /cache.off and somehow my .htaccess file was missing. Fixed those two issues and everything worked.
But still I'm getting these "500 Internal Server Error" on a daily basis. Eventually my site will be back up, but it will go back down eventually. This is the pattern I have to deal with. I've searched on here and Googled my problem with no success. I believe my problem may lie in my .htaccess file and mod_security. Because I have a few entries in my error log where mod_security pops up.
This is all Greek to me. My host said that's just mod_security doing it's job. Which is probably true. Is it a combination of some files within my installation of Mybb and my host that is at fault? I'm looking for help people.
Error log excerpt. I'm getting quite a few "Premature end of script headers:" Again, the logs are Greek but I'm learning as I go.
Oh and before I forget here's my .htaccess file.
Thanks for taking the time to read all this.
I've been getting A LOT of the "500 Internal Server Error" over the past few weeks. I do the usual thing, send in my support ticket. Eventually my host gets back to me and they say everything seem to be loading OK. Which it wasn't when I submitted the ticket. That's it, no explanation as to why I was down. My crappy hosts response time is horrible but that's another issue. When it is back online the links sometimes take 8-30 seconds to load.
Awhile back I posted this thread. The conclusion of that was somehow my /cache folder was renamed /cache.off and somehow my .htaccess file was missing. Fixed those two issues and everything worked.
But still I'm getting these "500 Internal Server Error" on a daily basis. Eventually my site will be back up, but it will go back down eventually. This is the pattern I have to deal with. I've searched on here and Googled my problem with no success. I believe my problem may lie in my .htaccess file and mod_security. Because I have a few entries in my error log where mod_security pops up.
Quote:[Sun Aug 02 00:18:43 2009] [error] [client 70.170.25.72] ModSecurity: Access denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to remote include command shell"] [severity "CRITICAL"] [hostname "ej8squad.com"] [uri "/eyewonder/interim.html"] [unique_id "SnU900t32iwAABkzCkIAAAAB"]
[Sun Aug 02 00:18:46 2009] [error] [client 174.106.6.209] ModSecurity: Access denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to remote include command shell"] [severity "CRITICAL"] [hostname "www.ej8squad.com"] [uri "/eyewonder/interim.html"] [unique_id "SnU91kt32iwAABkVBtsAAAAE"]
[Sun Aug 02 00:20:17 2009] [error] [client 70.170.25.72] ModSecurity: Access denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to remote include command shell"] [severity "CRITICAL"] [hostname "ej8squad.com"] [uri "/eyewonder/interim.html"] [unique_id "SnU@MUt32iwAABzQEAAAAAAB"]
[Sun Aug 02 00:21:26 2009] [error] [client 70.170.25.72] ModSecurity: Access denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to remote include command shell"] [severity "CRITICAL"] [hostname "www.ej8squad.com"] [uri "/eyewonder/interim.html"] [unique_id "SnU@dkt32iwAAClMPWEAAAAH"]
[Sun Aug 02 00:21:40 2009] [error] [client 174.106.6.209] ModSecurity: Access denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to remote include command shell"] [severity "CRITICAL"] [hostname "www.ej8squad.com"] [uri "/eyewonder/interim.html"] [unique_id "SnU@hEt32iwAAC5eVvoAAAAA"]
[Sun Aug 02 00:21:50 2009] [error] [client 70.170.25.72] ModSecurity: Access denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to remote include command shell"] [severity "CRITICAL"] [hostname "www.ej8squad.com"] [uri "/eyewonder/interim.html"] [unique_id "SnU@jkt32iwAAC50WPgAAAAG"]
[Sun Aug 02 00:23:57 2009] [error] [client 70.170.25.72] ModSecurity: Access denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to remote include command shell"] [severity "CRITICAL"] [hostname "www.ej8squad.com"] [uri "/eyewonder/interim.html"] [unique_id "SnU-DUt32iwAADWb1N0AAAAF"]
[Sun Aug 02 00:24:43 2009] [error] [client 98.183.151.252] ModSecurity: Access denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to remote include command shell"] [severity "CRITICAL"] [hostname "www.ej8squad.com"] [uri "/eyewonder/interim.html"] [unique_id "SnU-O0t32iwAADl-6uYAAAAH"]
[Sun Aug 02 00:27:16 2009] [error] [client 98.24.155.239] ModSecurity: Access denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to remote include command shell"] [severity "CRITICAL"] [hostname "www.ej8squad.com"] [uri "/eyewonder/interim.html"] [unique_id "SnU-1Et32iwAAEkECQ8AAAAB"]
This is all Greek to me. My host said that's just mod_security doing it's job. Which is probably true. Is it a combination of some files within my installation of Mybb and my host that is at fault? I'm looking for help people.
Error log excerpt. I'm getting quite a few "Premature end of script headers:" Again, the logs are Greek but I'm learning as I go.
Quote:[Mon Aug 03 01:18:16 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/\\"http:, referer: http://www.ej8squad.com/%5C%22http://www...=lostpw%5C
[Mon Aug 03 01:18:16 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/missing.html, referer: http://www.ej8squad.com/%5C%22http://www...=lostpw%5C
[Mon Aug 03 01:18:16 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/www.ej8squad.com, referer: http://www.ej8squad.com//www.ej8squad.co...=lostpw%5C
[Mon Aug 03 01:18:16 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/missing.html, referer: http://www.ej8squad.com//www.ej8squad.co...=lostpw%5C
[Mon Aug 03 01:18:17 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/\\"http:, referer: http://www.ej8squad.com/%5C%22http://www...=lostpw%5C
[Mon Aug 03 01:18:17 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/missing.html, referer: http://www.ej8squad.com/%5C%22http://www...=lostpw%5C
[Mon Aug 03 01:18:17 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/www.ej8squad.com, referer: http://www.ej8squad.com//www.ej8squad.co...=lostpw%5C
[Mon Aug 03 01:18:17 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/missing.html, referer: http://www.ej8squad.com//www.ej8squad.co...=lostpw%5C
[Mon Aug 03 01:18:18 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/\\"http:, referer: http://www.ej8squad.com/%5C%22http://www...egister%5C
[Mon Aug 03 01:18:18 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/missing.html, referer: http://www.ej8squad.com/%5C%22http://www...egister%5C
[Mon Aug 03 01:18:19 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/www.ej8squad.com, referer: http://www.ej8squad.com//www.ej8squad.co...egister%5C
[Mon Aug 03 01:18:19 2009] [error] [client 76.120.159.249] File does not exist: /home/dorionus/ej8squad.com/missing.html, referer: http://www.ej8squad.com//www.ej8squad.co...egister%5C
[Mon Aug 03 01:46:00 2009] [error] [client 74.129.244.189] File does not exist: /home/dorionus/ej8squad.com/uploads/avatars/avatar_725.jpg, referer: http://www.ej8squad.com/thread-5006.html
[Mon Aug 03 01:46:00 2009] [error] [client 74.129.244.189] File does not exist: /home/dorionus/ej8squad.com/missing.html, referer: http://www.ej8squad.com/thread-5006.html
[Mon Aug 03 04:20:15 2009] [error] [client 70.174.143.136] File does not exist: /home/dorionus/ej8squad.com/(null)
[Mon Aug 03 04:20:15 2009] [error] [client 70.174.143.136] File does not exist: /home/dorionus/ej8squad.com/missing.html
[Mon Aug 03 04:23:26 2009] [error] [client 60.241.76.173] File does not exist: /home/dorionus/ej8squad.com/uploads/avatars/avatar_601.jpg, referer: http://www.ej8squad.com/thread-452-page-18.html
[Mon Aug 03 04:23:26 2009] [error] [client 60.241.76.173] File does not exist: /home/dorionus/ej8squad.com/missing.html, referer: http://www.ej8squad.com/thread-452-page-18.html
[Mon Aug 03 04:40:43 2009] [error] [client 93.91.197.231] Premature end of script headers: showthread.php, referer: http://www.ej8squad.com/forum-14.html
[Mon Aug 03 04:40:43 2009] [error] [client 93.91.197.231] File does not exist: /home/dorionus/ej8squad.com/internal_error.html, referer: http://www.ej8squad.com/forum-14.html
[Mon Aug 03 04:41:24 2009] [error] [client 96.2.116.213] Premature end of script headers: newreply.php, referer: http://www.ej8squad.com/thread-9460.html
[Mon Aug 03 04:41:24 2009] [error] [client 96.2.116.213] File does not exist: /home/dorionus/ej8squad.com/internal_error.html, referer: http://www.ej8squad.com/thread-9460.html
[Mon Aug 03 04:42:48 2009] [error] [client 96.2.116.213] Premature end of script headers: showthread.php, referer: http://www.ej8squad.com/thread-9433.html
[Mon Aug 03 04:42:48 2009] [error] [client 96.2.116.213] File does not exist: /home/dorionus/ej8squad.com/internal_error.html, referer: http://www.ej8squad.com/thread-9433.html
[Mon Aug 03 04:42:52 2009] [error] [client 96.2.116.213] Premature end of script headers: newreply.php, referer: http://www.ej8squad.com/thread-9460.html
[Mon Aug 03 04:42:52 2009] [error] [client 96.2.116.213] File does not exist: /home/dorionus/ej8squad.com/internal_error.html, referer: http://www.ej8squad.com/thread-9460.html
[Mon Aug 03 04:42:57 2009] [error] [client 93.91.197.231] Premature end of script headers: showthread.php
[Mon Aug 03 04:42:57 2009] [error] [client 93.91.197.231] File does not exist: /home/dorionus/ej8squad.com/internal_error.html
[Mon Aug 03 04:43:17 2009] [error] [client 96.2.116.213] Premature end of script headers: showthread.php, referer: http://www.ej8squad.com/thread-8883-page-4.html
[Mon Aug 03 04:43:17 2009] [error] [client 96.2.116.213] File does not exist: /home/dorionus/ej8squad.com/internal_error.html, referer: http://www.ej8squad.com/thread-8883-page-4.html
[Mon Aug 03 05:29:21 2009] [error] [client 98.174.170.252] Premature end of script headers: index.php
[Mon Aug 03 05:29:21 2009] [error] [client 98.174.170.252] File does not exist: /home/dorionus/ej8squad.com/internal_error.html
Oh and before I forget here's my .htaccess file.
Options -MultiViews +FollowSymlinks -Indexes
#
# If mod_security is enabled, attempt to disable it.
# - Note, this will work on the majority of hosts but on
# MediaTemple, it is known to cause random Internal Server
# errors. For MediaTemple, please remove the block below
#
<IfModule mod_security.c>
# Turn off mod_security filtering.
SecFilterEngine Off
# The below probably isn't needed, but better safe than sorry.
SecFilterScanPOST Off
</IfModule>
#
# MyBB "search engine friendly" URL rewrites
# - Note, for these to work with MyBB please make sure you have
# the setting enabled in the Admin CP and you have this file
# named .htaccess
#
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^forum-([0-9]+)\.html$ forumdisplay.php?fid=$1 [L,QSA]
RewriteRule ^forum-([0-9]+)-page-([0-9]+)\.html$ forumdisplay.php?fid=$1&page=$2 [L,QSA]
RewriteRule ^thread-([0-9]+)\.html$ showthread.php?tid=$1 [L,QSA]
RewriteRule ^thread-([0-9]+)-page-([0-9]+)\.html$ showthread.php?tid=$1&page=$2 [L,QSA]
RewriteRule ^thread-([0-9]+)-lastpost\.html$ showthread.php?tid=$1&action=lastpost [L,QSA]
RewriteRule ^thread-([0-9]+)-nextnewest\.html$ showthread.php?tid=$1&action=nextnewest [L,QSA]
RewriteRule ^thread-([0-9]+)-nextoldest\.html$ showthread.php?tid=$1&action=nextoldest [L,QSA]
RewriteRule ^thread-([0-9]+)-newpost\.html$ showthread.php?tid=$1&action=newpost [L,QSA]
RewriteRule ^thread-([0-9]+)-post-([0-9]+)\.html$ showthread.php?tid=$1&pid=$2 [L,QSA]
RewriteRule ^post-([0-9]+)\.html$ showthread.php?pid=$1 [L,QSA]
RewriteRule ^announcement-([0-9]+)\.html$ announcements.php?aid=$1 [L,QSA]
RewriteRule ^user-([0-9]+)\.html$ member.php?action=profile&uid=$1 [L,QSA]
RewriteRule ^calendar-([0-9]+)\.html$ calendar.php?calendar=$1 [L,QSA]
RewriteRule ^calendar-([0-9]+)-year-([0-9]+)\.html$ calendar.php?action=yearview&calendar=$1&year=$2 [L,QSA]
RewriteRule ^calendar-([0-9]+)-year-([0-9]+)-month-([0-9]+)\.html$ calendar.php?calendar=$1&year=$2&month=$3 [L,QSA]
RewriteRule ^calendar-([0-9]+)-year-([0-9]+)-month-([0-9]+)-day-([0-9]+)\.html$ calendar.php?action=dayview&calendar=$1&year=$2&month=$3&day=$4 [L,QSA]
RewriteRule ^calendar-([0-9]+)-week-(n?[0-9]+)\.html$ calendar.php?action=weekview&calendar=$1&week=$2 [L,QSA]
RewriteRule ^event-([0-9]+)\.html$ calendar.php?action=event&eid=$1 [L,QSA]
<IfModule mod_env.c>
SetEnv SEO_SUPPORT 1
</IfModule>
</IfModule>
#
# If Apache is compiled with built in mod_deflade/GZIP support
# then GZIP Javascript, CSS, HTML and XML so they're sent to
# the client faster.
#
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/x-javascript text/css text/html text/xml
</IfModule>
Thanks for taking the time to read all this.