httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Roest" <ht...@blahz.ab.ca>
Subject RE: 1.3.26 Exploit? or something I'm overlooking
Date Mon, 24 Jun 2002 04:40:35 GMT
The weird thing is there are no logs of the requests which leads me to
believe he's trying something similar to the chunk exploit.  This case
there was more then one conneciton.  In the previouse case there was
only one connection made to the box that made the child processes fail
over and over again.  I think I will send this to the security email in
the morning as I think there are some left overs of the chunk bug still
in 1.3.26.

--Mike

-----Original Message-----
From: mike [mailto:ruler@isolate.net] 
Sent: Sunday, June 23, 2002 10:25 PM
To: users@httpd.apache.org
Subject: Re: 1.3.26 Exploit? or something I'm overlooking


Is he requesting the same URL over and over? If he is, he may be trying
to
use the chunk exploit on your server, and could be a bug in 1.3.26 that
is
causing your server to crash.  Is there a core file? Perhaps debugging
will
lead you to an answer.

Thanks.
----- Original Message -----
From: "Mike Roest" <httpd@blahz.ab.ca>
To: <users@httpd.apache.org>
Sent: Sunday, June 23, 2002 11:58 PM
Subject: Re: 1.3.26 Exploit? or something I'm overlooking


> Mike Roest wrote:
>
> > Hello,
> >    I have recently upgraded to 1.3.26 to fix the reported security
> > hole in 1.3.24.  The weirdest thing is that I am still getting error
> > message's like the following in my error_log
> >
> > [Sun Jun 23 18:05:57 2002] [notice] child pid 27126 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:05:59 2002] [notice] child pid 27127 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:06:01 2002] [notice] child pid 27138 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:06:03 2002] [notice] child pid 27139 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:06:05 2002] [notice] child pid 27140 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:06:07 2002] [notice] child pid 27141 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:06:10 2002] [notice] child pid 27142 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> >
> > I have attempted to get a tcpdump of the web transaction that
happens
> > right before this error shows up but I lost the one that I was able
to
> > grab.  I am continuing to run tcp dump in case it happens again
(which
> > it most likely will as it's been happening a few times a day for the
> > last couple days since I upgraded)
> >
> > http://myip/server-info gives the following info
> >
> > Server Version: Apache/1.3.26 (Unix) PHP/4.2.1 mod_gzip/1.3.19.1a
> > Server Built: Jun 21 2002 22:14:40
> > API Version: 19990320:13
> > Run Mode: standalone
> > User/Group: apache(48)/233
> > Daemons: start: 5    min idle: 5    max idle: 10    max: 150
> > Max Requests: per child: 0    keep alive: on    max per connection:
100
> > Threads: per child: 0   Excess requests: per child: 0   Timeouts:
> > connection: 300    keep-alive: 15
> > Server Root: /usr/local/apache
> > Config File: conf/httpd.conf
> > PID File: /usr/local/apache/logs/httpd.pid
> > Scoreboard File: /usr/local/apache/logs/httpd.scoreboard
> >
> > I have tried using the mod_blowchunks that was posted to bugtraq and
> > it catches the 1.3.24 chunk request errors. But doesn't catch this
> > error when it happens.
> >
> > The results when this happens is like the 1.3.24 exploit.  My Apache
> > becomes unresponsive and my process list shows many httpd <dfunc>.
> >
> > Has anyone seen this with 1.3.26???  Or should I be sending this in
as
> > a possible 1.3.26 exploit?
> >
> > --Mike
> >
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> 21:37:23.134773 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
S
> 37050989:37050989(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:37:23.353585 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
.
> ack 2927164643 win 8700 (DF)
> 21:37:23.379103 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
P
> 0:369(369) ack 1 win 8700 (DF)
> 21:37:26.352057 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
P
> 0:369(369) ack 1 win 8700 (DF)
> 21:37:26.862303 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
P
> 369:616(247) ack 578 win 8123 (DF)
> 21:37:27.179720 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
.
> ack 3478 win 8700 (DF)
> 21:37:27.334743 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
.
> ack 4928 win 8700 (DF)
> 21:37:27.515695 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
P
> 616:951(335) ack 5000 win 8628 (DF)
> 21:37:27.875342 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
P
> 951:1346(395) ack 5901 win 7727 (DF)
> 21:37:28.328372 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
.
> ack 6139 win 7489 (DF)
> 21:37:44.210618 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
.
> ack 6140 win 7489 (DF)
> 21:37:45.130847 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www:
R
> 37052336:37052336(0) win 0 (DF)
> 21:37:55.324275 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www:
S
> 37080251:37080251(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:37:55.328301 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www:
S
> 37080251:37080251(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:37:55.547389 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www:
.
> ack 2965126357 win 8700 (DF)
> 21:37:55.587683 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www:
P
> 0:619(619) ack 1 win 8700 (DF)
> 21:37:55.591010 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www:
.
> ack 1 win 8700 (DF)
> 21:37:55.876958 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www:
.
> ack 2 win 8700 (DF)
> 21:37:55.882738 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www:
F
> 619:619(0) ack 2 win 8700 (DF)
> 21:37:55.893706 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www:
S
> 37083752:37083752(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:37:56.152285 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www:
.
> ack 2968100435 win 8700 (DF)
> 21:37:56.195127 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www:
P
> 0:641(641) ack 1 win 8700 (DF)
> 21:37:56.417005 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www:
.
> ack 2 win 8700 (DF)
> 21:37:56.421981 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www:
F
> 641:641(0) ack 2 win 8700 (DF)
> 21:38:01.570651 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www:
S
> 37089423:37089423(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:38:01.795484 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www:
.
> ack 2973152539 win 8700 (DF)
> 21:38:01.822845 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www:
P
> 0:387(387) ack 1 win 8700 (DF)
> 21:38:02.224006 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www:
.
> ack 776 win 7925 (DF)
> 21:38:07.709122 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www:
P
> 387:963(576) ack 776 win 7925 (DF)
> 21:38:07.955032 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www:
.
> ack 777 win 7925 (DF)
> 21:38:07.959998 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www:
F
> 963:963(0) ack 777 win 7925 (DF)
> 21:38:07.966074 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www:
S
> 37095810:37095810(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:38:08.182789 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www:
.
> ack 2978118703 win 8700 (DF)
> 21:38:08.218719 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www:
P
> 0:576(576) ack 1 win 8700 (DF)
> 21:38:08.469728 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www:
.
> ack 2 win 8700 (DF)
> 21:38:08.476483 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www:
F
> 576:576(0) ack 2 win 8700 (DF)
> 21:38:08.487636 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www:
S
> 37096341:37096341(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:38:08.707417 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www:
.
> ack 2970750427 win 8700 (DF)
> 21:38:08.748068 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www:
P
> 0:598(598) ack 1 win 8700 (DF)
> 21:38:08.972939 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www:
.
> ack 2 win 8700 (DF)
> 21:38:08.979975 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www:
F
> 598:598(0) ack 2 win 8700 (DF)
> 21:39:13.625571 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www:
S
> 37161473:37161473(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:39:13.845464 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www:
.
> ack 3032043061 win 8700 (DF)
> 21:39:13.872779 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www:
P
> 0:387(387) ack 1 win 8700 (DF)
> 21:39:14.100144 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www:
.
> ack 2 win 8700 (DF)
> 21:39:14.106152 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www:
F
> 387:387(0) ack 2 win 8700 (DF)
> 21:39:16.023860 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www:
S
> 37163872:37163872(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:39:16.242764 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www:
.
> ack 3042588316 win 8700 (DF)
> 21:39:16.269286 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www:
P
> 0:387(387) ack 1 win 8700 (DF)
> 21:39:16.581271 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www:
P
> 387:782(395) ack 776 win 7925 (DF)
> 21:39:16.922738 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www:
.
> ack 1014 win 7687 (DF)
> 21:39:18.946823 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www:
P
> 782:1345(563) ack 1014 win 7687 (DF)
> 21:39:19.188314 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www:
.
> ack 1015 win 7687 (DF)
> 21:39:19.194848 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www:
F
> 1345:1345(0) ack 1015 win 7687 (DF)
> 21:39:19.199803 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www:
S
> 37167039:37167039(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:39:19.415637 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www:
.
> ack 3038803400 win 8700 (DF)
> 21:39:19.452681 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www:
P
> 0:563(563) ack 1 win 8700 (DF)
> 21:39:19.694223 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www:
.
> ack 2 win 8700 (DF)
> 21:39:19.699177 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www:
F
> 563:563(0) ack 2 win 8700 (DF)
> 21:39:19.710482 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www:
S
> 37167560:37167560(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:39:19.933014 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www:
.
> ack 3043294222 win 8700 (DF)
> 21:39:19.969801 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www:
P
> 0:585(585) ack 1 win 8700 (DF)
> 21:39:20.214276 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www:
.
> ack 2 win 8700 (DF)
> 21:39:20.219866 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www:
F
> 585:585(0) ack 2 win 8700 (DF)
>
> There is the tcpdump of one of the connections that caused the error
>
> --Mike
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message