httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "mike" <ru...@isolate.net>
Subject Re: 1.3.26 Exploit? or something I'm overlooking
Date Mon, 24 Jun 2002 04:24:33 GMT
Is he requesting the same URL over and over? If he is, he may be trying to
use the chunk exploit on your server, and could be a bug in 1.3.26 that is
causing your server to crash.  Is there a core file? Perhaps debugging will
lead you to an answer.

Thanks.
----- Original Message -----
From: "Mike Roest" <httpd@blahz.ab.ca>
To: <users@httpd.apache.org>
Sent: Sunday, June 23, 2002 11:58 PM
Subject: Re: 1.3.26 Exploit? or something I'm overlooking


> Mike Roest wrote:
>
> > Hello,
> >    I have recently upgraded to 1.3.26 to fix the reported security
> > hole in 1.3.24.  The weirdest thing is that I am still getting error
> > message's like the following in my error_log
> >
> > [Sun Jun 23 18:05:57 2002] [notice] child pid 27126 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:05:59 2002] [notice] child pid 27127 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:06:01 2002] [notice] child pid 27138 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:06:03 2002] [notice] child pid 27139 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:06:05 2002] [notice] child pid 27140 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:06:07 2002] [notice] child pid 27141 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> > [Sun Jun 23 18:06:10 2002] [notice] child pid 27142 exit signal
> > Segmentation fault (11), possible coredump in /usr/local/apache
> >
> > I have attempted to get a tcpdump of the web transaction that happens
> > right before this error shows up but I lost the one that I was able to
> > grab.  I am continuing to run tcp dump in case it happens again (which
> > it most likely will as it's been happening a few times a day for the
> > last couple days since I upgraded)
> >
> > http://myip/server-info gives the following info
> >
> > Server Version: Apache/1.3.26 (Unix) PHP/4.2.1 mod_gzip/1.3.19.1a
> > Server Built: Jun 21 2002 22:14:40
> > API Version: 19990320:13
> > Run Mode: standalone
> > User/Group: apache(48)/233
> > Daemons: start: 5    min idle: 5    max idle: 10    max: 150
> > Max Requests: per child: 0    keep alive: on    max per connection: 100
> > Threads: per child: 0   Excess requests: per child: 0   Timeouts:
> > connection: 300    keep-alive: 15
> > Server Root: /usr/local/apache
> > Config File: conf/httpd.conf
> > PID File: /usr/local/apache/logs/httpd.pid
> > Scoreboard File: /usr/local/apache/logs/httpd.scoreboard
> >
> > I have tried using the mod_blowchunks that was posted to bugtraq and
> > it catches the 1.3.24 chunk request errors. But doesn't catch this
> > error when it happens.
> >
> > The results when this happens is like the 1.3.24 exploit.  My Apache
> > becomes unresponsive and my process list shows many httpd <dfunc>.
> >
> > Has anyone seen this with 1.3.26???  Or should I be sending this in as
> > a possible 1.3.26 exploit?
> >
> > --Mike
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> 21:37:23.134773 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: S
> 37050989:37050989(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:37:23.353585 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: .
> ack 2927164643 win 8700 (DF)
> 21:37:23.379103 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: P
> 0:369(369) ack 1 win 8700 (DF)
> 21:37:26.352057 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: P
> 0:369(369) ack 1 win 8700 (DF)
> 21:37:26.862303 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: P
> 369:616(247) ack 578 win 8123 (DF)
> 21:37:27.179720 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: .
> ack 3478 win 8700 (DF)
> 21:37:27.334743 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: .
> ack 4928 win 8700 (DF)
> 21:37:27.515695 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: P
> 616:951(335) ack 5000 win 8628 (DF)
> 21:37:27.875342 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: P
> 951:1346(395) ack 5901 win 7727 (DF)
> 21:37:28.328372 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: .
> ack 6139 win 7489 (DF)
> 21:37:44.210618 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: .
> ack 6140 win 7489 (DF)
> 21:37:45.130847 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: R
> 37052336:37052336(0) win 0 (DF)
> 21:37:55.324275 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: S
> 37080251:37080251(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:37:55.328301 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: S
> 37080251:37080251(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:37:55.547389 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: .
> ack 2965126357 win 8700 (DF)
> 21:37:55.587683 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: P
> 0:619(619) ack 1 win 8700 (DF)
> 21:37:55.591010 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: .
> ack 1 win 8700 (DF)
> 21:37:55.876958 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: .
> ack 2 win 8700 (DF)
> 21:37:55.882738 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: F
> 619:619(0) ack 2 win 8700 (DF)
> 21:37:55.893706 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www: S
> 37083752:37083752(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:37:56.152285 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www: .
> ack 2968100435 win 8700 (DF)
> 21:37:56.195127 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www: P
> 0:641(641) ack 1 win 8700 (DF)
> 21:37:56.417005 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www: .
> ack 2 win 8700 (DF)
> 21:37:56.421981 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www: F
> 641:641(0) ack 2 win 8700 (DF)
> 21:38:01.570651 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: S
> 37089423:37089423(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:38:01.795484 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: .
> ack 2973152539 win 8700 (DF)
> 21:38:01.822845 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: P
> 0:387(387) ack 1 win 8700 (DF)
> 21:38:02.224006 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: .
> ack 776 win 7925 (DF)
> 21:38:07.709122 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: P
> 387:963(576) ack 776 win 7925 (DF)
> 21:38:07.955032 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: .
> ack 777 win 7925 (DF)
> 21:38:07.959998 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: F
> 963:963(0) ack 777 win 7925 (DF)
> 21:38:07.966074 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www: S
> 37095810:37095810(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:38:08.182789 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www: .
> ack 2978118703 win 8700 (DF)
> 21:38:08.218719 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www: P
> 0:576(576) ack 1 win 8700 (DF)
> 21:38:08.469728 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www: .
> ack 2 win 8700 (DF)
> 21:38:08.476483 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www: F
> 576:576(0) ack 2 win 8700 (DF)
> 21:38:08.487636 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www: S
> 37096341:37096341(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:38:08.707417 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www: .
> ack 2970750427 win 8700 (DF)
> 21:38:08.748068 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www: P
> 0:598(598) ack 1 win 8700 (DF)
> 21:38:08.972939 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www: .
> ack 2 win 8700 (DF)
> 21:38:08.979975 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www: F
> 598:598(0) ack 2 win 8700 (DF)
> 21:39:13.625571 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www: S
> 37161473:37161473(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:39:13.845464 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www: .
> ack 3032043061 win 8700 (DF)
> 21:39:13.872779 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www: P
> 0:387(387) ack 1 win 8700 (DF)
> 21:39:14.100144 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www: .
> ack 2 win 8700 (DF)
> 21:39:14.106152 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www: F
> 387:387(0) ack 2 win 8700 (DF)
> 21:39:16.023860 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: S
> 37163872:37163872(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:39:16.242764 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: .
> ack 3042588316 win 8700 (DF)
> 21:39:16.269286 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: P
> 0:387(387) ack 1 win 8700 (DF)
> 21:39:16.581271 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: P
> 387:782(395) ack 776 win 7925 (DF)
> 21:39:16.922738 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: .
> ack 1014 win 7687 (DF)
> 21:39:18.946823 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: P
> 782:1345(563) ack 1014 win 7687 (DF)
> 21:39:19.188314 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: .
> ack 1015 win 7687 (DF)
> 21:39:19.194848 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: F
> 1345:1345(0) ack 1015 win 7687 (DF)
> 21:39:19.199803 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www: S
> 37167039:37167039(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:39:19.415637 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www: .
> ack 3038803400 win 8700 (DF)
> 21:39:19.452681 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www: P
> 0:563(563) ack 1 win 8700 (DF)
> 21:39:19.694223 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www: .
> ack 2 win 8700 (DF)
> 21:39:19.699177 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www: F
> 563:563(0) ack 2 win 8700 (DF)
> 21:39:19.710482 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www: S
> 37167560:37167560(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
> 21:39:19.933014 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www: .
> ack 3043294222 win 8700 (DF)
> 21:39:19.969801 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www: P
> 0:585(585) ack 1 win 8700 (DF)
> 21:39:20.214276 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www: .
> ack 2 win 8700 (DF)
> 21:39:20.219866 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www: F
> 585:585(0) ack 2 win 8700 (DF)
>
> There is the tcpdump of one of the connections that caused the error
>
> --Mike
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message