Atomicorp

Hi

I'm not sure what happen or if it's even related to ASL. The hosting company seems to think it is. But I'm doubting that. Never know anyway. The hosting company updated the virtization software on the server after this update a client of mines websites cannot connect to mysql. And the Plesk panel won't connect either. Error below.

leskFatalException Unable to connect to database: mysql_connect() [function.mysql-connect]: Permission denied 0: common_func.php3:153 psaerror(string 'Unable to connect to database: mysql_connect() [function.mysql-connect]: Permission denied') 1: auth.php3:116

I do have aborted logins in the mysqld.log file, but that doesn't seem to prove anything. Oddly ASL GUI is working fine which uses the tortix database.

Using ASL 4.04.15

I'm also seeing this in the ASL GUI
Proxy Authentication Required. Seems to trigger this when I access the main website on this server. Which I get a db connection error on the website.

Not sure why it would consider this a proxy as it's not.

Any idea's?

Thanks

What are the event details on that proxy attempt error? Click on the event, and you'll see the raw request that was blocked, for example:

--5ba2d90e-A--
[26/Jul/2014:15:39:46 --0400] U9QEAX8AAAEAAHTOhYgAAAAD 127.0.0.1 35998 127.0.0.1 80
--5ba2d90e-B--
GET /gopo.php?foo=http://www.example.com/ HTTP/1.0
User-Agent: Wget/1.11.4 Red Hat modified
Accept: */*
Host: localhost
Connection: Keep-Alive

--5ba2d90e-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Length: 269
Connection: close
Content-Type: text/html; charset=iso-8859-1

--5ba2d90e-H--
Message: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "475"] [id "340162"] [rev "294"] [msg "Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected"] [data "%TX:0,TX:1"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith %{request_headers.host}" against "TX:1" required.
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1406403585802057 199876 (- - -)
Stopwatch2: 1406403585802057 199876; combined=835, p1=40, p2=770, p3=0, p4=0, p5=25, sr=0, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); 201407191241.
Server: Apache/2.2.21 (Atomic)
Engine-Mode: "ENABLED"

--5ba2d90e-Z--

Hi,

All I see is
[modsecurity] [client xxxxxx] [domain: xxxxxx] [500] [/apache/20140726/20140726-1543/20140726-154308-U9QEzEDPu6IAACE6fBoAAAAA] (null)

I check for the folder in the asl data folders 20140726/20140726-1543 but that folder doesn't exist.

But I did find similar errors in other folders. So below is Another
--a11d2001-A--
[26/Jul/2014:13:01:18 --0400] U9Pe3kDPu6IAAAR3cnQAAAAA 91.61.55.185 38916 64.207.187.162 7080
--a11d2001-B--
GET / HTTP/1.0
Host: xxxxx
X-Real-IP: xxxxx
X-Forwarded-For: xxxxx
X-Accel-Internal: /internal-nginx-static-location
Connection: close
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en
Pragma: no-cache
User-Agent: Mozilla/5.0 (compatible; MSIE 9.11; Windows NT 6.1; Trident/5.0)
Cache-Control: no-cache
Cookie: __atuvc=1%7C5

--a11d2001-F--
HTTP/1.1 500 Internal Server Error
X-Powered-By: PleskLin
MS-Author-Via: DAV
Content-Length: 575
Connection: close
Content-Type: text/html

--a11d2001-H--
Apache-Handler: fcgid-script
Stopwatch: 1406394078148832 28663 (- - -)
Stopwatch2: 1406394078148832 28663; combined=3020, p1=38, p2=2720, p3=17, p4=233, p5=12, sr=0, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); 201407251743.
Server: Apache
Engine-Mode: "ENABLED"

--a11d2001-Z--

At this point I disabled nginx from command line, but I still end up with 500 error, and can't connect to database either from websites or from plesk panel. (So I can't even login to plesk) Although the ASL GUI seems to be working, but there is connection errors in mysqld log as follows

140726 14:07:58 [Warning] Aborted connection 952 to db: 'tortix' user: 'tortix' host: 'localhost' (Got timeout reading communication packets)
140726 14:09:18 [Warning] Aborted connection 972 to db: 'tortix' user: 'tortix' host: 'localhost' (Got timeout reading communication packets)
140726 14:11:53 [Warning] Aborted connection 990 to db: 'tortix' user: 'tortix' host: 'localhost' (Got timeout reading communication packets)
140726 14:14:58 [Warning] Aborted connection 1040 to db: 'tortix' user: 'tortix' host: 'localhost' (Got timeout reading communication packets)
140726 14:16:03 [Warning] Aborted connection 1053 to db: 'tortix' user: 'tortix' host: 'localhost' (Got timeout reading communication packets)

I check for the folder in the asl data folders 20140726/20140726-1543 but that folder doesn't exist

Are you using mod_ruid2 by any chance?

HTTP/1.1 500 Internal Server Error
X-Powered-By: PleskLin
MS-Author-Via: DAV
Content-Length: 575
Connection: close
Content-Type: text/html

Yeah, thats not caused by a rule or ASL. If you look in the F section you'll always see what apache returned, and in your case this is what apache returned:

HTTP/1.1 500 Internal Server Error

Thats an apache internal error, it means apache had an internal error. Its neither caused by the rules, or ASL. Unfortunately 500 errors from apache are a generic bucket for apache errors that dont have a common cause. It means either is wrong with your application, or with Apache itself. And since you also dont see to have any audit_log data entries it sounds like something more serious is wrong with Apache itself. Have you opened a case with your control panel vendor?

It looks like I have a "cause"

I'm just not sure the solution.

localhost isn't working for connecting to mysql. when I tried 127.0.0.1 it worked for the website. But of course the plesk panel is still down.

I noticed the .sock file somehow isn't working properly. when I change it's permissions to allow write on all it worked. But when it gets created from scratch it only has write permissions on user. I'm just not sure if it's suspose to be write permissions on all 3 or just the 1.

Not sure how these permissions got messed up though.

a umask setting in the mysql startup script maybe? It should be creating the socket like this:
srwxrwxrwx 1 mysql mysql 0 Jul 8 14:57 /var/lib/mysql/mysql.sock

scott wrote:a umask setting in the mysql startup script maybe? It should be creating the socket like this:
srwxrwxrwx 1 mysql mysql 0 Jul 8 14:57 /var/lib/mysql/mysql.sock

Thanks Scott, I'll look into the umask. I just edited the init.d script as a temp fix and added a chmod 0777 command in the init.d script. But I'll look into the umask setting.