forgot to add - disabling Komento component even does not help - this query is still being executed. It looks like some one outside can call this piece of php code directly - I assume some robots.

Is it a security hole? Komento component has some other "security wholes" I have already mentioned you time ago like unsecured links (cronjobs, unsubscribing users ...)

Martin

hey there,

forgot to add - disabling Komento component even does not help - this query is still being executed. It looks like some one outside can call this piece of php code directly - I assume some robots.

May i know how to you know that query still being executed? Is there a way to track this so that when I investigate this issue on your site I can double check from this track system.

Perhaps you can provide us with your Joomla backend and FTP access at http://stackideas.com/dashboard/site so we can better have a check?

Is it a security hole? Komento component has some other "security wholes" I have already mentioned you time ago like unsecured links (cronjobs, unsubscribing users ...)

Currently I can't tell you is it security issue yet, because I haven't check your site.
From what I see the code, if you have enable captcha on your Komento form, when it load the Komento form on the page, it will trigger this.

hi Arlex,

I watch the MySQL log file (I have root access to my server).

>> From what I see the code, if you have enable captcha on your Komento form, when it load the Komento form on the page, it will trigger this.

do you mean this query (12H) is triggered when the comment form is rendered or submitted (POST) ? I have the setting "Clear Captcha on page load" set to OFF. But so far I see this setting triggers the second query (with INTERVAL 7d). So why there are 2 queries for cleaning captcha? How to disable executing those both queries completely and trigger only via cronjob?

I have Komento installed on 2 websites and see that 80% of the Apache logs are full with "POST /?option=com_komento HTTP/1.0". It looks like robots or spamers like this component Fortunately so far I do not have any spam in my comments

I will try to set up ftp account and give you access to mysql log files today evening.

thanks a lot so far !

Martin

Yes, that is both method to clear the captcha data :

7 days
----------
1. If you disable this option "Clear Captcha on page load", it shouldn't execute this unless you have setup a cronjob for this http://site.com/index.php?option=com_komento&task=clearCaptcha
JoomlaFolder\components\com_komento\controller.php
JoomlaFolder\components\com_komento\helpers\helper.php

12 Hours
------------
2. When the page load the komento form which included captcha form, it will execute the SQL to delete the captcha data.
JoomlaFolder\components\com_komento\themes\kuro\comment\form\captcha.php
JoomlaFolder\administrator\components\com_komento\tables\captcha.php
JoomlaFolder\components\com_komento\classes\captcha\captcha.php

How to disable executing those both queries completely and trigger only via cronjob?

By right, when you disable this option "Clear Captcha on page load", it shouldn't execute but based on what I check the code, it seems like that "12 Hours" we do not have add any checking to disable it.

May i know what is your current Komento version?

Also I would like to check like just now you said that when you disable Komento component from backend, your server still tracked down some where still trigger this SQL right?

hi Arlex,

- I think we can simple modify the captcha.php and at the place where the query is executed we can write a line of text to some text file - this will be ok for testing. With this trick you can see that component is executing query even if it is disabled. I will prepare you the access,

- I do not see any reason of having the second query (12H) which can not be disabled. So this mean this "issue" can not be simply solved without chaning the implementation?

- I am using Komento 2.0.9

best regards
Marcin

Yes, It quite make sense to disable the `12hours` one, can you try comment out that line of the code and see how it goes? You have to modify on this file and check my attached screenshot below.
JoomlaFolder\components\com_komento\controllers\captcha.php

To clear this captcha response data, now you have to replace to use cronjob to perform this.

Setup a cronjob to execute this URL -> http://site.com/index.php?option=com_komento&task=clearCaptcha , from the cronjob interval, you can set 1 days only perform 1 time.

hi Arlex,

thanks. yes I did this.

For me is unclear:

1) why I have so many POST requests in my logs? This is 50x more then site views. Does the Komento JavaScript triggers so many POST requests when displaying the list of comments under article (Ajax calls during rendering?)

Please click on this link "Apache status" in my dashboard details to see the current apache state. (I will give you FTP access today evening) Right now I have 90% of all requests in Apache as "com_komento POST" This kills my server.

2) why the code is executed even if the Komento is deactivated in backend?

I will try to analyses from access log if this is not any kind of attack from outside (IP range).

thanks so far
Martin

hi Arlex,

I see the problem now. I have discovered something what makes me REALLY crazy.

I have moved the website off-line and logged in as only once user. Then I have opened one article on this site (rezepte/hauptspeisen/197-pizza-ze-szparagami) and saw multiple "POST com_komento" calls. So this means there is any JavaScript code which makes those calls. But this is not the end of the problem. I do nothing just staying on the page and see in the Apache log that every X seconds my opened page is still keep calling multiple times com_komento and com_easycocial requests !!! This explain the problem why my server is overloaded with so many request to com_komento component.

Question: what JavaScript is constantly sending those requests? For what ? How to fix or disable this?

Please urgently help me to fix this problem. It kills my server !!

As you see in sample log below all request comes the page I have opened (http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami)

217.246.4.158 - - [07/Oct/2016:20:13:45 +0200] "GET /rezepte/hauptspeisen/197-pizza-ze-szparagami HTTP/1.0" 200 27499 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0"

217.246.4.158 - - [07/Oct/2016:20:13:52 +0200] "POST /?option=com_komento HTTP/1.0" 200 301 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

217.246.4.158 - - [07/Oct/2016:20:14:22 +0200] "POST /?option=com_komento HTTP/1.0" 200 222 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

217.246.4.158 - - [07/Oct/2016:20:14:52 +0200] "POST /index.php?option=com_easysocial&lang=&Itemid=366&_ts=1475863494294 HTTP/1.0" 200 222 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

217.246.4.158 - - [07/Oct/2016:20:14:52 +0200] "POST /index.php?option=com_easysocial&lang=&Itemid=366&_ts=1475863494300 HTTP/1.0" 200 222 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

217.246.4.158 - - [07/Oct/2016:20:14:52 +0200] "POST /index.php?option=com_easysocial&lang=&Itemid=366&_ts=1475863494302 HTTP/1.0" 200 222 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

217.246.4.158 - - [07/Oct/2016:20:14:52 +0200] "POST /?option=com_komento HTTP/1.0" 200 222 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

217.246.4.158 - - [07/Oct/2016:20:15:23 +0200] "POST /?option=com_komento HTTP/1.0" 200 222 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

217.246.4.158 - - [07/Oct/2016:20:15:52 +0200] "POST /index.php?option=com_easysocial&lang=&Itemid=366&_ts=1475863554627 HTTP/1.0" 200 222 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

217.246.4.158 - - [07/Oct/2016:20:15:52 +0200] "POST /index.php?option=com_easysocial&lang=&Itemid=366&_ts=1475863554877 HTTP/1.0" 200 222 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

217.246.4.158 - - [07/Oct/2016:20:15:53 +0200] "POST /index.php?option=com_easysocial&lang=&Itemid=366&_ts=1475863555493 HTTP/1.0" 200 222 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

217.246.4.158 - - [07/Oct/2016:20:15:54 +0200] "POST /?option=com_komento HTTP/1.0" 200 222 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

217.246.4.158 - - [07/Oct/2016:20:16:25 +0200] "POST /?option=com_komento HTTP/1.0" 200 222 "http://www.kochen-mit-spass.de/rezepte/hauptspeisen/197-pizza-ze-szparagami"

Those requests are generating on the fly mini configurations. This will be addressed in Komento 2.1 and EasySocial 2.

hi Mark,

how can I fix this problem? Currently it kills my server when 500 users online generating constantly thousands of such request to my server? How can I temporary fix it till new versions are released?

When you are going to release those new versions of Komento and EasySocial?

thanks in advance
Martin

my server is dead .. thousands of com_komento POST request hitting my site (see attachment) .. please help urgently. How to disable this flood of request

I have managed to recover from this disaster by adding deny rule into my htaccess and block all request having ?com_komento in query string.

RewriteCond %{QUERY_STRING} ^.*(option=com_komento).* [NC]
RewriteRule ^(.*)$ - [F,L]

after this my server load from 400% went back to 80%.

Waiting urgently for any fix from your side.

thanks in advance
MArtin

Hello Martin,

You are having an issue with bots trying to massively connect to your site. Each connection made on the site is requesting ajax calls on the server. This cannot be fixed immediately and we are addressing this in Komento 2.1 by moving all the configuration requests to a single file that doesn't need to be generated all the time.

As for the issues that you are facing, I would suggest that you identify these bot ips first. Check your request log and block them accordingly using your htaccess file.

hi Mark,

thanks for your answer.
As I statement before - I have tested myself and checked in the Apache logs - those are not robots.

Every user in internet which open any page on my website with Komento module generates constantly POST requests. NOT ONLY ONE - BUT CONSTANTLY generating requests. I have tested this just - I have just opened one URL and checked my IP in the logs I saw that my IP is generating constantly those requests. Keeping site open in browser (not doing anything else) generates constantly those requests !! I

Is there any loop or trigger in JavaScripts which constanlty is generating those requests?

I have currently quite a good traffic - between 600 and 1000 users online and only those requests to com_komento are killing my server. What this POST request actually is doing ? Generating new captcha or something else?

For a low traffic websites this problem even could not be noticed but when number of opened subpages grows the problem explodes.

Now after blocking this POST requests my server is perfectly managing all the traffic.

Please keep in mind during development new version and avoid any requests from open pages.

Example: enabling caching in Jommla makes my website 10x faster number of calls are dramatically reduced processing of php is very low. But it is enough to have one component (like in this case the Komento) which does not follow such "high traffic" design and destroys all other optimisation, caching etc.

Please do not understand me wrong. I love your components and going permanently using them, keeping my subscription live long term. I sending you from time to time reports about issues, bugs, improvement because I want you great products to be even more perfect Please do not ignore them

thanks in advance and best regards
Martin

Hello Martin,

Thanks for sharing this with me and I appreciate it. This was one of the main reasons why we removed Foundry from EasySocial 2 and EasyDiscuss 4. With EasyBlog, we have removed the "configuration" part so you won't feel it but in Komento 2.1, we will be removing foundry altogether

I believe Komento has an interval settings as well and you should try to turn that off as the intervals could cause the CPU spike . These interval checks is to check for new comments.

By the way, it also looks like your subscription has already expired

hi Mark,

Now I have understand where is the traffic generated. Thanks. (Ajax polling from Komento and EasySocial). I have found those settings (Komento 1 call per user and ESocial 4 calls per user) and see that default config values for all are 30s. I have increase those all to 10minutes.

It is of course a very nice feature in Komento and ES to have on-the-page notification in case of new events. So I will keep them and test with settings 10min and give you a feedback.

Maybe there is way to make some optimization in Komento and ES to make those nice notifications more performant and reduce number of calls to DB? Any kind of internal caching to the file of the last 20 comments for every article to reduce number of calls to DB?

In my case (and in my other websites) is a rule like 80% of users are visiting 5% of pages. I have a quite strong machine (4CPUs, 32GB) and with 4 websites running on it and many extensions and 1000 users online I have only 30% server load. Enabling Komento Ajax rise the server load to over 300%. Maybe those queries are not using indexes or are not good cachable by mysql ?

Of course going to renew the bundle of all component right now ...

Cheers
Martin

Thanks for getting back to us.

Sure, keep us update the result if you set to 10 minute is it look better?

By the way, we will definitely see what we can do in Komento 2.1 version.

hi Arlex,

yes. setting this value 5 minutes or higher for website with 1000 user online solves the problem server load increase only a bit.

Are you going to completely remove the Ajax calls (polling for notification) in v2.1 or just make some optimizations?

regards
Martin

Hey there,

I just checked Easysocial 2.0 from our demo site, Easysocial 2.0 still using ajax call to check the system notification but this time we reduce to only 1 ajax call to check 5 things update e.g.
- system notification
- friends notification
- conversation notification
- Stream latest updates
- comment updates

If I recall correctly from the pass (1.4), we separate those notification in different ajax call like 5 ajax call get each notification on the page.

hi Arlex,

I have today installed the latest ES v2.0.2. and trying to get in touch with the new configuration. I see in the latest version many settings are simplified (good Concerning this thread - I see under Settings / Notification some ON/OFF buttons but I can not find the setting to configure the frequency the user will fire Ajax calls to load latest notifications. Could you please help me how can I set this value? I have found setting "Broadcast Period" but the description says it is only for administrator notification - so it looks like it is not the setting I am looking for?

thanks
Martin

Hey there,

We already simplified all the setting from Easysocial 2 backend, this polling interval setting no longer configurable in Easysocial 2.

By default, the system will kick 1 ajax call for every 45s to check following status.
- system notification
- friends notification
- conversation notification
- Stream latest updates
- comment updates