SMF create core* files - need help

[hbhb]

I am a server administrator and I notice one of a user which is running web forums on SMF installed via Fantastico (cpanel addon) has been generating 7GB of core* files. samples:

[/home/acct/www/forums]# ll core*
-rw------- 1 nobody nobody 25694208 Aug 21 22:00 core.10188
-rw------- 1 nobody nobody 25694208 Aug 21 21:54 core.30726
-rw------- 1 nobody nobody 25698304 Aug 21 21:55 core.30942
-rw------- 1 nobody nobody 25874432 Aug 21 21:56 core.3135
-rw------- 1 nobody nobody 25694208 Aug 21 21:57 core.3188
-rw------- 1 nobody nobody 25694208 Aug 21 22:00 core.5871

After advising from server administrator & cpanel ticket technician, it's confimed that these files are generated due to php errors from /home/acct/www/forums

I'm not sure if i posted on the right thread. I'm trying to get developer support here on how to handle this issue... thanks

[karlbenson]

Mods?

If you using my auto embed video clips mod, that might be cause. I've had 3 people report creation of core files.
They seem to be related to php 5.2.6 (possibly inconjuction with zend optimizer). (What version of php are you using? are you using zend?)

[hbhb]

i've no idea what the user is doing in the forum as i am not a member & restricted.

yes, my server is using php 5.2.5 (not 5.2.6) with zend optimizer installed

[karlbenson]

Apologies.

Is it possible for you to link me to the website/domain that is causing the issue.
(via pm if that helps).

[hbhb]

i can't post private message over here in this forum nor i can find a message inbox or my own profile to change password.. strange..

anyhow.. the URL is http://mtsociety.com/forums2 [nofollow]

I actually rename /forums/ to /forums2/ because the core files keep writing every minutes and it had generated over 50 files in just 1 hour.

[karlbenson]

Looking at their site and installed packages list, they don't appear to have any mods installed (other than an smf update patch). (so that rules out my mod).

SMF shouldn't and doesn't cause these core files under normal conditions.
I'm not sure why it would do so.

I would point out that they are using SMF 1.1.4 which is out-of-date. Version 1.1.5 is released which contains important fixes (and we would recommend they upgrade asap).

Other than that, the only thing I can see is that they have enabled, search engine friendly urls.
Making them as
http://www.mtsociety.com/forums2/index.php/topic,14.0.html
instead of smf default
http://www.mtsociety.com/forums2/index.php?topic=14.0

They do require apache to work (and despite the fact they are working), i wonder whether they could be the cause.
If you get them to disable them via their SMF Admin panel > Features & Options >
Uncheck Search engine friendly URLs

If you could kindly ask them for more details such as if
- they made any code changes recently? (since those core files started appearing)
- whether there are any errors in their smf error log.

I don't know how to debug .core files myself to backtrace the source of the problem, maybe one of my fellow team members has an answer to that.

[SlammedDime]

Can you look in the server error logs and see what php errors are showing from these sites that have the same times as these core dumps?

[hbhb]

enlight me which logs do you want me to look at? apache logs?

inside /usr/local/apache/logs/error_log

I found many error on the 'themes', example:

File does not exist: /home/acct/public_html/forums/Themes/helios_multi11final/images/icons/normal_post_sticky.gif, referer: http://www.mtsociety.com/forums/index.php?action=unread [nofollow]
File does not exist: /home/acct/public_html/forums/Themes/helios_multi11final/images/icons/normal_post_sticky.gif, referer: http://www.mtsociety.com/forums/index.php?action=unread [nofollow]
File does not exist: /home/acct/public_html/forums/Themes/helios_multi11final/images/icons/normal_post_sticky.gif, referer: http://www.mtsociety.com/forums/index.php?action=unread [nofollow]

So I believe this has something to do with their theme? then again, this is just apache error_log. if you mean to be on specific logs, let me know again.

[SlammedDime]

Well, PHP errors will normally show up in either the web server error log, or in a seperate file, if that is how php is configured.  Look wherever PHP is set to send it's errors and look there.

[karlbenson]

If the size of the core files are a problem in the meantime. Don't forget that as the host, you can set core files to dumped at 0bytes.

[hbhb]

Ok I've sent the core dump to 0 bytes for now.

Now i'm wanting to find out the source of the core files.

#php -e index.php

this does not generate the core files. Which php is suspicious of generating the core dumps?

[SlammedDime]

Well everything is run through index.php, but just calling index.php from CLI probably won't generate it, as this is just the board index of SMF.  That's why I suggest looking at the web server error logs, or even the operating system error logs to see what specific querystring is causing the core dump.

[hbhb]

i don't know about this. someone is trying to inject a code via index.php causing this dump files or this is a separate case which has nothing to do with the dump files??

[Fri Aug 29 00:23:50 2008] [error] [client 219.93.152.130] ModSecurity: Access denied with code 406 (phase 2). Pattern match (?:\\b(??:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(??:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at ARGS:action. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "www.mtsociety.com"] [uri "/forums/index.php"] [unique_id "j@fW@MpLODoAAHL9flIAAAAl"]

[SlammedDime]

That could surely cause a core dump if mod security isn't configured correctly... try disabling it via .htaccess in the users forum directory and see if that solves the issue.

[karlbenson]

Having problems with mod_security?

[almanshuurah]

Hello..
I Have same problem..
But i know why the web server auto generated core..

Does your forum traffic very huge ?

My webserver got this because so many visitor, visit at once.. (1000++)
So.. every visitor visit, maybe generated the error log..

When the traffic so huge, i also can't access my site, my error is 404, 500 error and also database user error, because too many traffic access the database..

Sorry For My English.. THanks..

[Rumbaar]

hbhb as the host I assume you have a 'space' for yourself.  You can try install a totally fresh install of SMF via Fantastico and test it out yourself.  This way you can know all the variables.

Then if you find on a totally fresh install you still get core dumps you can, for the most part, rule out SMF being the main issue and a configuration issue at server level.

[Baross]

Same problem for me too..I looked in the error log and this is what I have found:

Code Select Expand

[04-Sep-2008 13:37:04] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20060613/ixed.5.2.lin' - /usr/local/lib/php/extensions/no-debug-non-zts-20060613/ixed.5.2.lin: cannot open shared object file: No such file or directory in Unknown on line 0

lines like this are many in the log file.

and:

Code Select Expand

[12-Jul-2008 05:28:02] PHP Fatal error:  require_once() [<a href='function.require'>function.require</a>]: Failed opening required '/QueryString.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/baross/public_html/forum/index.php on line 54

these are older errors...

Could this errors generate core dumps ?
Is it safe to delete those core files ? I have so many of them...

[Rumbaar]

From my experience I say yes on the deletion.  Unless you host wants to look at them and has means to analyze them.

I'd look to your host for the first error seems to be a server issue, that might be causing the script to fail and thus php is dump core files.

[MultiformeIngegno]

I've noticed this problem too!! Any update on this?