httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Roest" <>
Subject RE: 1.3.26 Exploit? or something I'm overlooking
Date Mon, 24 Jun 2002 14:30:53 GMT
Yeah I actually have snort running and added the rule posted there and
it's not catching what's happening.  I seem to have stopped it from
happening because I haven't had it happen again since the one last
night.  I've kernel level blocked out the IP's that I was catching doing
it and it seems to have done it for now.  But who knows.


-----Original Message-----
From: Jeff Beard [] 
Sent: Monday, June 24, 2002 8:26 AM
Subject: RE: 1.3.26 Exploit? or something I'm overlooking

According to what I've read on bugtraq, that's symptomatic of
a chunk encoding exploit: syslog notices and nothing in the
Apache logs.

The snort folks have added a signature for chunking exploits
if want to try a different packet sniffer (


On Sun, 23 Jun 2002, Mike Roest wrote:

> The weird thing is there are no logs of the requests which leads me to
> believe he's trying something similar to the chunk exploit.  This case
> there was more then one conneciton.  In the previouse case there was
> only one connection made to the box that made the child processes fail
> over and over again.  I think I will send this to the security email
> the morning as I think there are some left overs of the chunk bug
> in 1.3.26.
> --Mike
> -----Original Message-----
> From: mike []
> Sent: Sunday, June 23, 2002 10:25 PM
> To:
> Subject: Re: 1.3.26 Exploit? or something I'm overlooking
> Is he requesting the same URL over and over? If he is, he may be
> to
> use the chunk exploit on your server, and could be a bug in 1.3.26
> is
> causing your server to crash.  Is there a core file? Perhaps debugging
> will
> lead you to an answer.
> Thanks.

Jeff Beard | Systems Architect, Programmer, Sysadmin
Contact    | jeff at cyberxape dot com, 303.443.9339
Location   | In front of the computer, Boulder, CO, USA

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message