httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <ch...@Topsail.ORG>
Subject Re: Security problem ?
Date Mon, 02 Jun 1997 17:04:36 GMT
Sounds like the old syslogd blocking problem; he might want to check when
the syslogd entries stopped, and for any other odd system messages around
the time when the machine went deaf & dumb..

> 
> Hi, I'll forward your mail to the developers mailing list.
> There are no known security problems at the moment. Hopefully
> your httpd just blew up in sympathy when the rest of the system
> went bad.
> 
> One thing to check is the activity of the 'problem' user before
> the incident. Does it look like reasonable usage or someone
> probing ?
> 
> 
> On Mon, 2 Jun 1997, Chris Cason wrote:
> 
> > Hi ... I didn't want to post this publicly because
> > 
> >   1) it's probably not a bug, but
> >   2) if it is, it's possibly a security compromise.
> > 
> > I'm running 1.2 beta 10 on http://www.povray.org/ (i86 Linux). Something
> > weird happened yesterday and I'm still trying to work out what. I lost the
> > ability to contact the machine for a time ; the server was up but was working
> > strangely, and I could not log in via ssh or telnet.
> > 
> > When I could finally get in, I rebooted and examined various log files for the 
> > cause. The HTTPD transfer_log for that particular virtual server showed that 
> > it had stopped at a certain time, and the _very last_ entries in it were 
> > these (I have to hex dump as it contains high-ASCII) -
> > 
> > 00  6D 61 6E 68 61 74 74 61-6E 2E 74 68 69 72 64 77   manhattan.thirdw
> > 10  61 76 65 2E 6E 65 74 20-2D 20 2D 20 5B 30 31 2F   ave.net - - [01/
> > 20  4A 75 6E 2F 31 39 39 37-3A 31 32 3A 33 38 3A 31   Jun/1997:12:38:1
> > 30  36 20 2D 30 37 30 30 5D-20 22 FF FA 25 03 72 6F   6 -0700] "..%.ro
> > 40  6F 74 FF F0 3F 22 20 34-30 30 20 2D 20 22 2D 22   ot..?" 400 - "-"
> > 50  20 22 2D 22 0A 6D 61 6E-68 61 74 74 61 6E 2E 74    "-".manhattan.t
> > 60  68 69 72 64 77 61 76 65-2E 6E 65 74 20 2D 20 2D   hirdwave.net - -
> > 70  20 5B 30 31 2F 4A 75 6E-2F 31 39 39 37 3A 31 32    [01/Jun/1997:12
> > 80  3A 35 35 3A 32 39 20 2D-30 37 30 30 5D 20 22 FF   :55:29 -0700] ". 
> > 90  FA 25 03 72 6F 6F 74 FF-F0 68 65 6C 6C 6F 22 20   .%.root..hello" 
> > A0  34 30 30 20 2D 20 22 2D-22 20 22 2D 22 0A 90 0E   400 - "-" "-"...
> > 
> > followed by
> > 
> > manhattan.thirdwave.net - - [01/Jun/1997:12:56:13 -0700] "GET / HTTP/1.0" 200
> >   1085 "-" "Lynx 2.5  libwww-FM/2.14"
> > manhattan.thirdwave.net - - [01/Jun/1997:12:56:16 -0700] "GET /nf-index.html  
> >   HTTP/1.0" 200 17342 "-" "Lynx 2.5  libwww-FM/2.14"
> > 
> > there is nothing else in the log file beyond that point. what set off alarm
> > bells for me was the above hexdump contains some binary surrounding the word
> > 'root', and the machine stopped working almost immediately after that (we
> > normally get about two hits per second on that server.)
> > 
> > Is there anything in the above information that is of interest to you ?
> > 
> > regards,
> > 
> > -- Chris Cason
> > 
> > 
> > 
> 
> --
> Rob Hartill                              Internet Movie Database (Ltd)
> http://www.moviedatabase.com/   .. a site for sore eyes.
> 
> 


-- 
chuck
Chuck Murcko            The Topsail Group             West Chester PA USA
chuck@topsail.org

Mime
View raw message