HostGator out of memory Server Crash

[guy te watson]

The following is a Server Crash Issue I had and Hostgator Techs Say that it came from BPS – /plugins/bulletproof-security/403.php.  Please Take a Look at their report below and Advise me how I can prevent this from happening again.

Thanks!
In Christ
guy te

Hello,
Thank You for contacting Host Gator support, Guy I have checked the server logs and it appears there was an attack on the site [website URL removed for privacy] which caused your server to OOM (out of memory). The wordpress site has two security plugins installed which appears to have caused the issue. I am showing that the modsec rules were working at the time, but the Security plugins were still querying the database. I would suggest disabling these plugins and using a password protection on wp-login.php from the site. This will prevent the admin panel from being displayed under proper credentials are used, thus preventing wordpress from even running. I have provided a link below with additional details on how to password protect a file. I can also implement a password protection through .htaccess on all wordpress admin panels on your server if you would like as well. This would require all users to use a user/password to access their admin panel, once completed they wou ld then enter their specific username/password to login to wordpress. Please let me know if you need any assistance with this and I would be happy to assist.

This is a link with more details on the WordPress brute force attack:
http://bad-behavior.ioerror.us/2013/04/10/wordpress-brute-force-login-attacks-stepped-up/

How to enable password protection on a file
https://support.hostgator.com/articles/cpanel/how-to-password-protect-one-file

Sar logs when the attack occurred.

================================================================
Time: 2013-11-06 05:59:18
Load: 14.90, 4.18, 1.43
Memory: 3959 MB Free: 341 MB (382 MB) Buffers: 3 MB Cached: 38 MB SwapFree: 2438 MB / 4095 MB

USER PID %CPU %MEM VSZ PEAK RSS ST NI CPU START IOR IOW CMD
root 1 0.0 0.0 18M 18M 400 S 0 2:35 5/23-23:45 0 0 /sbin/init
root 10233 0.0 0.0 107M 107M 4 S 0 0.76 9/27-03:47 58M 15M /usr/sbin/abrtd
root 10276 0.0 0.0 105M 107M 64 S 0 35.58 9/27-03:47 1M 20K abrt-dump-oops -d /var/spool/abrt -rwx /var/log/messages
root 1610 0.0 0.0 10M 10M 316 S 0 17:42 5/23-23:45 7M 0 irqbalance
dbus 1649 0.0 0.0 21M 21M 300 S 0 11.91 5/23-23:45 17M 0 dbus-daemon --system
root 16750 0.0 0.6 103M 103M 24M S 0 27:59 5/29-21:07 506G 54G /usr/local/apache/bin/httpd -k start -DSSL
nobody 14397 0.0 0.6 104M 104M 22M S 0 0.0 11/6-05:07 4K 0 /usr/local/apache/bin/httpd -k start -DSSL
root 14398 0.0 0.0 49M 49M 1M S 0 0.07 11/6-05:07 0 0 /usr/local/cpanel/3rdparty/bin/perl /usr/local/cpanel/bin/leechprotect
root 14404 0.0 0.6 103M 103M 22M S 0 0.0 11/6-05:07 0 0 /usr/local/apache/bin/httpd -k start -DSSL
nobody 14405 0.0 0.8 1G 1G 33M S 0 1.76 11/6-05:07 13M 1M /usr/local/apache/bin/httpd -k start -DSSL
xxxxxxx 15647 0.0 0.2 217M 220M 8M S 0 0.21 11/6-05:57 8K 4K /usr/bin/php /home/xxxxxxx/public_html/wp-content/plugins/bulletproof-security/403.php
xxxxxxx 15651 0.0 0.2 217M 220M 8M S 0 0.33 11/6-05:57 0 0 /usr/bin/php /home/xxxxxxx/public_html/wp-content/plugins/bulletproof-security/403.php
xxxxxxx 15655 0.0 0.2 217M 220M 8M S 0 0.23 11/6-05:57 0 0 /usr/bin/php /home/xxxxxxx/public_html/wp-content/plugins/bulletproof-security/403.php
xxxxxxx 15659 0.0 0.2 217M 220M 8M S 0 0.29 11/6-05:57 56K 0 /usr/bin/php /home/xxxxxxx/public_html/wp-content/plugins/bulletproof-security/403.php
xxxxxxx 15663 0.0 0.2 217M 220M 8M S 0 0.24 11/6-05:57 0 0 /usr/bin/php /home/xxxxxxx/public_html/wp-content/plugins/bulletproof-security/403.php
xxxxxxx 15667 0.0 0.2 217M 220M 8M S 0 0.25 11/6-05:58 264K 0 /usr/bin/php /home/xxxxxxx/public_html/wp-content/plugins/bulletproof-security/403.php
xxxxxxx 15671 0.0 0.2 217M 220M 8M S 0 0.29 11/6-05:58 0 4K /usr/bin/php /home/xxxxxxx/public_html/wp-content/plugins/bulletproof-security/403.php
xxxxxxx 15708 0.0 0.3 217M 220M 11M S 0 0.25 11/6-05:58 0 0 /usr/bin/php /home/xxxxxxx/public_html/wp-content/plugins/bulletproof-

[AITpro Admin]

There is one known issue/scenario with error logging causing an infinite redirect loop.  This is caused by either your Server forcing handling of error logging or another plugin is forcing error logging, which causes error logging to redirect in an infinite loop.  You can turn off error logging in BPS Pro if this is what is occurring on your site.  Go to the BPS Pro Security Log menu / page and click the Turn Off Error Logging button.  The error message that is associated with this scenario is:  Request exceeded the limit of 10 internal redirects due to probable configuration error.  So this may not be the problem that is occurring on your site and the Tech’s guess is wrong.

BPS Pro is performance optimized and uses the bare mininum of MySQL Queries to do what it does – other than the scenario stated above, BPS Pro does not and could not cause an out of memory problem.  We have a HostGator account as well as other hosting accounts and of course 1,000’s of users using Hosts all over the World have not reported this problem because BPS Pro does not cause this problem.

We intentionally designed BPS Pro NOT to use MySQL Queries as much as possible to do what it needs to do.  MySQL Queries are the most resource draining aspect of a WordPress website therefore we painstakenly wrote a lot of additional code and did things the much harder way to ensure that BPS Pro is performance optimized and uses the bare minimum MySQL Queries necessary.

So BPS Pro is not involved in this issue in any way and you should be looking at the other security plugin if the Tech is correct in his/her assessment.  The Tech’s assessment of the problem may not be correct.  The problem may be mod_security itself or the other security plugin that you are using uses excessive MySQL Queries, but it is not and cannot be BPS Pro.

Removing your website security is an absolutely ridiculous and wrong suggestion.  If your website is under attack then that last thing you would want to do is remove / disable your website security.  I recommend that you call your Host support and escalate this issue to a Manager or someone higher up as the ridiculous suggestion indicates that you were talking to someone who does not know what they are talking about and is giving wrong, incorrect and/or bad information or maybe just guessing.

BPS Pro already has Brute Force Protection security features:

Login Security & Monitoring
JTC Anti-Spam / Anti-Hacker
Bonus Code:  Brute Force Login page protection
http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

Adding password protection to the /wp-admin area, which is already password protected is simply bad advice.  Obviously you should not take that advice.

[guy te watson]

Yeah, I know that replacing BPS, the best WordPress Security Plugin I can find, with what was suggested is, well lets just say I found the advice unremarkable myself. The assessment of what caused the problem I find suspect too. I have BPS on many sites without issues like that crash and peoples sites get attached a lot that’s why I and others search for a good security program.

Thanks for showing me what to do to solve the possible issue. Just one thing can you remove my website address in the tech’s message in my post above. I left that in the message/post by mistake and I can’t edit that post apparently.

Thanks!
In Christ
guy te

[AITpro Admin]

Your website URL has been removed from the post above.  We have set BuddyPress Topic post editing time to 30 minutes.  You can re-edit a Forum Topic post up to 30 minutes from the original time it was posted.  Anyone can have an “off-day” so I assume this Tech was having an “off-day”. 😉

[Author]

Posts