Hello,

I'm new to ASL so I'm trying to learn and fine tune ASL as quick as possible.

I turned FW_TOR to 'on' on the ASL configuration and some of the websites using MySQL stopped working.
I started getting this message in the "Security Events" window.

iwx1 suhosin[8877]: ALERT - linked list corrupt on efree() - heap corruption detected (attacker `201.199.xx.xx`, file `/home/crphotos/mydomain.com/html/new/gallery3/index.php`)

IP '201.199.xx.xx' is from my local PC

What does the TOR list have to do with this?
Why does it affect MySQL connections?
I thought suhosin was not part of ASL

If somebody can shed some light on this, it would be very much appreciated

Thanks,

Rodrigo
CRServers.com

Suhosin is not part of Asl and is not installed by Asl.

FW_TOR just adds firewall rules to block TOR exit nodes, it does not do anything else. That suhosin alert is something unrelated to Asl, but suhosin is blocking your ip so that's definitely causing you problems.

FW_TOR also has nothing to do with MySQL.

I don't know how many IPs get added when you enable that, but it might be more than your system can handle, and causing something strange to happen that suhosin doesn't like?

Maybe take a look at iptables -v -n -L | less to see if anything loks odd or if there are any errors when you do a service iptables status

You can enable suhosin's log only mode on in /etc/php.d/suhosin.conf. The logs will still appear, but nothing will be blocked by suhosin itself (but ASL - ossec may blacklist the "attacking" IP).

Maybe suhosin was installed accidentally, for example if you did a yum install php php-* as php-suhosin is in the ART repo.

Faris.

Hello,

I have never installed suhosin voluntarily.

But indeed there is suhosin in my system:

[root@iwx1 ~]# rpm -qa | grep suhosin
php-xmlrpc-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-gd-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-mcrypt-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-pdo-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-soap-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-cli-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-devel-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-imap-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-xml-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-mysql-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-mbstring-5.2.17-rhe5x.iworx.js.suhosin.fpm.200
php-common-5.2.17-rhe5x.iworx.js.suhosin.fpm.200

I wonder if this gets installed by Interworx. I will ask them.

Anyway, what does enabling TOR node blockage in ASL have to do with MySQL not connecting or suhosin?
After turning TOR blockage off again, the event disappeared, and MySQL conections started working again.

Regards,

Rodrigo

Nothing, it does not install, configure or do anything with suhosin (suhosin is not part of Asl, Asl does not install it, and can not do so), and has nothing to do with MySQL either. Blocking TOR nodes just adds external firewall rules to block TOR exit nodes.

I recommend you remove suhosin from your system to see if that resolves this for you.