CMS – NHS problem

There is a problem which seems to occur mostly on Mondays when a user connects from the NHS gateway {IP}. This is causing some threads of the java process that runs sitemanager to hang while still consuming CPU cycles. The system can operate with 1 of these as its a dual CPU server but once there are 2 or more of these then the service will degrade steadily.  There is a case raised with Terminal 4 who are investigating but in the meantime they advise restarting tomcat. The user interface will keep running for up to an hour but as publishing slows down and these back up then the perfomance will fall off. The rsync to the live server is badly affected as well. These gradually build up. The nagios service can also be used to view the problem. Look under “Apache Status” and select the entry”CMS tomcat” or go directly to

The cpu guzzling processses will be obvious, but check with top.

There are 2 possible actions 1. restart tomcat 2. renice java and keep it running for a while  (I would do this if its 4.30 keeping things ticking over until after 5.00 and then restart tomcat}

1. restart tomcat

{on jackie}
ps -ef | grep java
kill -9 {java process id}
rm /usr/local/tomcat/temp/
/etc/init.d/tomcat start

2. change priorities

ps -ef | grep java
renice +19 {java process id}
renice -19 {process ids of the rsync process}

Also of note is that the NHS gateway can be blocked by adding the following line immediately under the input directive to the iptables config. in /etc/sysconfig:


There is a copy of the iptables file with this line included called iptables-hsblock. This is a measure of last resort as it also blocks NHS staff accessing an eform which they are using at present to register for a workshop.

Cache root file systems

The root filesystem on the squid cache server marge can become full due to a couple of temporary files in /var/tmp growing very large. These files can only be cleared when squid is stopped, the following commands will help solve this:

/usr/local/squid/sbin/squid -kshutdown
/usr/local/squid/sbin/squid -f /usr/local/squid/etc/squid-qub.conf  -kshutdown
ps -ef | grep squid | grep -v dns # check for the active squid processes
tail -f /usr/local/squid/logs/access.log # check activity on the service
tail -f /usr/local/squid/logs/cache.log # watch for the squid shutdown message – takes 30secs
rm /var/tmp/UR_COUNT_ALL
rm /var/tmp/UR_COUNT_ALLTCP
rm /var/tmp/UR_COUNT_ALLUDP
/etc/rc.d/rc3.d/S98squid start
/etc/rc.d/rc3.d/S98squid_qub start

Detecting Country of Website Visitor

We have added GeoIP technology to the main web service which allows us to add this functionality to websites on request.

The GeoIP technology allows you to use Server Variables to detect the country your visitor is located in.This allows website authors to tailor content for specific visitors based on the country they are located in. For example, if targeting Chinese visitors a landing page could be created welcoming visitors in Mandarin and specifying links useful to Chinese visitors trying to make a decision on whether to come to this University.

An example in PHP follows:


echo “Hello you are based in the UK”;



You should contact webmaster [@] qub . ac . uk to have this functionality enabled on your website if you wish to use it.

QUB Web Stats Service Updated

We have now updated the Web Statistics service to AWStats version 7.0 which should give better results for mobile browser and operating systems. We have also improved the graphs in the Standard Interface which should make them a little easier to look at. This includes a world map showing the countries of visitors.

Also on the Standard Interface we have extra links in the ‘Hosts’ section under the column ‘Follow Me’. Clicking on the ‘Zoom’ link will show a visitor’s path through the website – if this information is available for the chosen visitor.


Grepping for LizaMoon infected website files

The Liza Moon attack targets Microsoft SQL Server installations injecting javascript tags into website files. Although we are primarily using Unix/Linux servers I performed some scans using the following to check for lizamoon infection:

find . -type f -exec egrep “\<script src=http\:\/\/.*\/ur\.php” {} \;

On Windows Server I used Powershell and the following command:

Get-ChildItem * -Recurse | Select-String -Pattern ur.php

jqPlot Example for Website Graphs

This is a simple example usage of the jqPlot jQuery plugin. The example on the author website omits the “, {}” options in the .jqplot function call.

 <link rel="stylesheet" href="./scripts/jqplot/jquery.jqplot.min.css" type="text/css" media="all" />
 <!--[if IE]>http://./scripts/jqplot/excanvas.js<![endif]-->

 $(document).ready(function() {
 $.jqplot.config.enablePlugins = true;
 $.jqplot('chartdiv',  [[[1, 2],[3,5.12],[5,13.1],[7,33.6],[9,85.9],[11,219.9]]], {});

</body> </html>  

Building an RPM Package (DansGuardian 2.10)

After putting together an RPM for DansGuardian v2.10.1.1 I thought I would make a few notes. The version of DansGuardian in the repositories is currently version 2.8 and the only other repo or rpm I could find was a 32-bit 2.10.  Why DansGuardian 2.10?

  • Content Scanning Support with Clamd or Kapersky
  • Regular Expressions to enforce Google Safe Search (without patching)
  • NTLM support

So I set about generating the rpm for version for 64-bit CentOS. My CentOS version is 5.5. I found this IBM developer works article useful for guidance on creating RPMs. I also did this build with DansGuardian v2.8 already installed via yum so I was able to make use of the existing init.d and logrotate.d scripts.

cd /usr/src/redhat/SOURCES
cp /etc/init.d/dansguardian /usr/src/redhat/SOURCES/dansguardian.init-centos
cp /etc/logrotate.d/dansguardian /usr/src/redhat/SOURCES/dansguardian.logrotate-centos
cd ../SPECS

Edit the above spec file to reflect version removing the %patch0 line and setting –enable-clamav=no \
or use the SPEC file listed below.

yum install clamd clamav-devel pcre-devel

Build the RPM – keep an eye out for errors and install dependencies as needed:

cd ..
rpmbuild -v -bb –clean /usr/src/redhat/SPECS/dansguardian-centos-clamav.spec

After compilation you should have an rpm in /usr/src/redhat/RPMS/x86_64 which you can install after removing the existing 2.8 version of dansguardian:

yum remove dansguardian
rpm -Uvh /usr/src/redhat/RPMS/x86_64/dansguardian-clamav-

In order to make use of the clamd content scanning in dansguardian it may be necessary to to change the owner and group in /etc/dansguardian/dansguardian.conf to clamav & clamav.

The RPM I created is available here: dansguardian-clamav- – just in case anyone else can make use of it. I make no warranties.

# $Id: dansguardian.spec  2007-04-06 dpv $
# Upstream: Daniel Barron <author$dansguardian,org>

# What to change when you build a new version:
# Version – match upstream version
# Release – Usually this would stay the same if the version is changed.
#           It is only things NOT in the .tar.gz file that will cause a release number change.
# Packager – if desired
# Vendor – if desired
# Patch0 – could easily become obsolete if the upstream version has changed
# %files – if files are added or removed, this section needs to be updated accordingly

%define real_name DansGuardian

Summary: Content filtering web proxy
Name: dansguardian-clamav
BuildRequires: gcc-c++ zlib-devel pcre-devel
Requires: coreutils squid
License: GPL
Group: System Environment/Daemons
Release: 0.1.el5.clamav.0.95
Packager: Jonny McCullagh <>
Vendor: Queens University Belfast

# all of these files must live in /usr/src/redhat/SOURCES
Source: dansguardian-%{version}.tar.gz
Source1: dansguardian.init-centos
Source3: dansguardian.logrotate-centos
#Patch0: dansguardian_gcc43.patch
BuildRoot: %{_tmppath}/dansguardian-%{version}-%{release}-root

DansGuardian is a web filtering engine that checks the content within
the page itself in addition to the more traditional URL filtering.

DansGuardian is a content filtering proxy. It filters using multiple methods,
including URL and domain filtering, content phrase filtering, PICS filtering,
MIME filtering, file extension filtering, POST filtering.

%setup -q -n dansguardian-%{version}
#%patch0 -p0

%{configure} \
        –enable-clamav=no \
        –enable-clamd=yes \
        –enable-email=yes \
        –enable-icap=yes \
        –enable-kavd=yes \
        –enable-ntlm=yes \
        –enable-pcre=yes \

%{__perl} -pi.orig -e ‘
                s|^(CHKCONFIG) =.*$|$1 = :|;
        ‘ Makefile

%{__make} %{?_smp_mflags}

mkdir -p %{buildroot}/var/log/dansguardian/
#mkdir -p %{buildroot}/var/run
make install DESTDIR=%{buildroot}
%{__install} -D -m0755 %{SOURCE1} %{buildroot}%{_initrddir}/dansguardian
%{__install} -D -m0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/dansguardian
ln -s /etc/init.d/dansguardian %{buildroot}%{_sbindir}/rcdansguardian

chown -R nobody /var/log/dansguardian
chkconfig –add dansguardian

if [ $1 -eq 0 ]; then
        /etc/init.d/dansguardian stop &>/dev/null || :



%{__rm} -rf %{buildroot}

%defattr(-, root, root, 0755)
%doc /usr/share/doc/dansguardian/*
%doc %{_mandir}/man?/*
%config %{_sysconfdir}/dansguardian/*
%config %{_sysconfdir}/logrotate.d/dansguardian
%dir /etc/dansguardian
%dir /usr/share/dansguardian
%dir /var/log/dansguardian

* Mon Nov 22 2010 Jonny McCullagh <> – 2.10-1.1
– Update to DG stable release and built for x86_64

* Wed Mar 11 2009 Rick Saul <> – 2.10-0.3
– Update to DG stable release.

* Wed Sep 17 2008 Paul Gear <>  –
– Created CentOS version based on Don Vosburg’s SUSE spec file. See

Firefox Windows 7 and Linux proxy.pac

Had a problem today with Firefox on Windows 7 and Firefox on Linux. Upon reading our proxy.pac (wpad) file the if statements were not working:

if(isInNet(myIpAddress(), “”,”″))

According to this post on Mozilla the problem is due to how FF/Win7 reports the ipv6 address, rather than the ipv4 version. So the solution was to add the CIDR version too e.g.

isInNet(myIpAddress(), “”, “”) ||
isInNet(myIpAddress(), “”, “/23”) || 

Order has been restored!


Certwatch checks for Apache certificates which are due to expire. By default on Red Hat / Centos there is a cron job in /etc/cron.daily which runs and sends its output to root. To configure it:

vi /etc/sysconfig/httpd

Add a line such as:

CERTWATCH_OPTS=”–period 30 –address my.user@domain.tld”

It is also possible to switch it off with:


MS Office 2007 Formats in Apache

In Apache 2 I added the following to stop Internet Explorer trying to open these formats as compressed archives (which they actually are) and to open them using the MS Office appliations:

AddType application/ .docm

AddType application/vnd.openxmlformats-officedocument.wordprocessingml.document docx
AddType application/vnd.openxmlformats-officedocument.wordprocessingml.template dotx
AddType application/ potm
AddType application/vnd.openxmlformats-officedocument.presentationml.template potx
AddType application/ ppam
AddType application/ ppsm
AddType application/vnd.openxmlformats-officedocument.presentationml.slideshow ppsx
AddType application/ pptm
AddType application/vnd.openxmlformats-officedocument.presentationml.presentation pptx
AddType application/ xlam
AddType application/ xlsb
AddType application/ xlsm
AddType application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx
AddType application/ xltm
AddType application/vnd.openxmlformats-officedocument.spreadsheetml.template xltx