httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Roest <ht...@blahz.ab.ca>
Subject Re: 1.3.26 Exploit? or something I'm overlooking
Date Mon, 24 Jun 2002 03:58:15 GMT
Mike Roest wrote:

> Hello,
>    I have recently upgraded to 1.3.26 to fix the reported security 
> hole in 1.3.24.  The weirdest thing is that I am still getting error 
> message's like the following in my error_log
>
> [Sun Jun 23 18:05:57 2002] [notice] child pid 27126 exit signal 
> Segmentation fault (11), possible coredump in /usr/local/apache
> [Sun Jun 23 18:05:59 2002] [notice] child pid 27127 exit signal 
> Segmentation fault (11), possible coredump in /usr/local/apache
> [Sun Jun 23 18:06:01 2002] [notice] child pid 27138 exit signal 
> Segmentation fault (11), possible coredump in /usr/local/apache
> [Sun Jun 23 18:06:03 2002] [notice] child pid 27139 exit signal 
> Segmentation fault (11), possible coredump in /usr/local/apache
> [Sun Jun 23 18:06:05 2002] [notice] child pid 27140 exit signal 
> Segmentation fault (11), possible coredump in /usr/local/apache
> [Sun Jun 23 18:06:07 2002] [notice] child pid 27141 exit signal 
> Segmentation fault (11), possible coredump in /usr/local/apache
> [Sun Jun 23 18:06:10 2002] [notice] child pid 27142 exit signal 
> Segmentation fault (11), possible coredump in /usr/local/apache
>
> I have attempted to get a tcpdump of the web transaction that happens 
> right before this error shows up but I lost the one that I was able to 
> grab.  I am continuing to run tcp dump in case it happens again (which 
> it most likely will as it's been happening a few times a day for the 
> last couple days since I upgraded)
>
> http://myip/server-info gives the following info
>
> Server Version: Apache/1.3.26 (Unix) PHP/4.2.1 mod_gzip/1.3.19.1a
> Server Built: Jun 21 2002 22:14:40
> API Version: 19990320:13
> Run Mode: standalone
> User/Group: apache(48)/233
> Daemons: start: 5    min idle: 5    max idle: 10    max: 150
> Max Requests: per child: 0    keep alive: on    max per connection: 100
> Threads: per child: 0   Excess requests: per child: 0   Timeouts: 
> connection: 300    keep-alive: 15
> Server Root: /usr/local/apache
> Config File: conf/httpd.conf
> PID File: /usr/local/apache/logs/httpd.pid
> Scoreboard File: /usr/local/apache/logs/httpd.scoreboard
>
> I have tried using the mod_blowchunks that was posted to bugtraq and 
> it catches the 1.3.24 chunk request errors. But doesn't catch this 
> error when it happens.
>
> The results when this happens is like the 1.3.24 exploit.  My Apache 
> becomes unresponsive and my process list shows many httpd <dfunc>.
>
> Has anyone seen this with 1.3.26???  Or should I be sending this in as 
> a possible 1.3.26 exploit?
>
> --Mike
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
21:37:23.134773 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: S 
37050989:37050989(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
21:37:23.353585 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: . 
ack 2927164643 win 8700 (DF)
21:37:23.379103 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: P 
0:369(369) ack 1 win 8700 (DF)
21:37:26.352057 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: P 
0:369(369) ack 1 win 8700 (DF)
21:37:26.862303 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: P 
369:616(247) ack 578 win 8123 (DF)
21:37:27.179720 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: . 
ack 3478 win 8700 (DF)
21:37:27.334743 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: . 
ack 4928 win 8700 (DF)
21:37:27.515695 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: P 
616:951(335) ack 5000 win 8628 (DF)
21:37:27.875342 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: P 
951:1346(395) ack 5901 win 7727 (DF)
21:37:28.328372 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: . 
ack 6139 win 7489 (DF)
21:37:44.210618 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: . 
ack 6140 win 7489 (DF)
21:37:45.130847 pD9540771.dip.t-dialin.net.64084 > my.machine.com.www: R 
37052336:37052336(0) win 0 (DF)
21:37:55.324275 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: S 
37080251:37080251(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
21:37:55.328301 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: S 
37080251:37080251(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
21:37:55.547389 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: . 
ack 2965126357 win 8700 (DF)
21:37:55.587683 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: P 
0:619(619) ack 1 win 8700 (DF)
21:37:55.591010 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: . 
ack 1 win 8700 (DF)
21:37:55.876958 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: . 
ack 2 win 8700 (DF)
21:37:55.882738 pD9540771.dip.t-dialin.net.64093 > my.machine.com.www: F 
619:619(0) ack 2 win 8700 (DF)
21:37:55.893706 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www: S 
37083752:37083752(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
21:37:56.152285 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www: . 
ack 2968100435 win 8700 (DF)
21:37:56.195127 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www: P 
0:641(641) ack 1 win 8700 (DF)
21:37:56.417005 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www: . 
ack 2 win 8700 (DF)
21:37:56.421981 pD9540771.dip.t-dialin.net.64094 > my.machine.com.www: F 
641:641(0) ack 2 win 8700 (DF)
21:38:01.570651 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: S 
37089423:37089423(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
21:38:01.795484 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: . 
ack 2973152539 win 8700 (DF)
21:38:01.822845 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: P 
0:387(387) ack 1 win 8700 (DF)
21:38:02.224006 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: . 
ack 776 win 7925 (DF)
21:38:07.709122 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: P 
387:963(576) ack 776 win 7925 (DF)
21:38:07.955032 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: . 
ack 777 win 7925 (DF)
21:38:07.959998 pD9540771.dip.t-dialin.net.64095 > my.machine.com.www: F 
963:963(0) ack 777 win 7925 (DF)
21:38:07.966074 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www: S 
37095810:37095810(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
21:38:08.182789 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www: . 
ack 2978118703 win 8700 (DF)
21:38:08.218719 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www: P 
0:576(576) ack 1 win 8700 (DF)
21:38:08.469728 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www: . 
ack 2 win 8700 (DF)
21:38:08.476483 pD9540771.dip.t-dialin.net.64096 > my.machine.com.www: F 
576:576(0) ack 2 win 8700 (DF)
21:38:08.487636 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www: S 
37096341:37096341(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
21:38:08.707417 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www: . 
ack 2970750427 win 8700 (DF)
21:38:08.748068 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www: P 
0:598(598) ack 1 win 8700 (DF)
21:38:08.972939 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www: . 
ack 2 win 8700 (DF)
21:38:08.979975 pD9540771.dip.t-dialin.net.64097 > my.machine.com.www: F 
598:598(0) ack 2 win 8700 (DF)
21:39:13.625571 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www: S 
37161473:37161473(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
21:39:13.845464 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www: . 
ack 3032043061 win 8700 (DF)
21:39:13.872779 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www: P 
0:387(387) ack 1 win 8700 (DF)
21:39:14.100144 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www: . 
ack 2 win 8700 (DF)
21:39:14.106152 pD9540771.dip.t-dialin.net.64127 > my.machine.com.www: F 
387:387(0) ack 2 win 8700 (DF)
21:39:16.023860 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: S 
37163872:37163872(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
21:39:16.242764 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: . 
ack 3042588316 win 8700 (DF)
21:39:16.269286 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: P 
0:387(387) ack 1 win 8700 (DF)
21:39:16.581271 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: P 
387:782(395) ack 776 win 7925 (DF)
21:39:16.922738 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: . 
ack 1014 win 7687 (DF)
21:39:18.946823 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: P 
782:1345(563) ack 1014 win 7687 (DF)
21:39:19.188314 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: . 
ack 1015 win 7687 (DF)
21:39:19.194848 pD9540771.dip.t-dialin.net.64128 > my.machine.com.www: F 
1345:1345(0) ack 1015 win 7687 (DF)
21:39:19.199803 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www: S 
37167039:37167039(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
21:39:19.415637 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www: . 
ack 3038803400 win 8700 (DF)
21:39:19.452681 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www: P 
0:563(563) ack 1 win 8700 (DF)
21:39:19.694223 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www: . 
ack 2 win 8700 (DF)
21:39:19.699177 pD9540771.dip.t-dialin.net.64130 > my.machine.com.www: F 
563:563(0) ack 2 win 8700 (DF)
21:39:19.710482 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www: S 
37167560:37167560(0) win 8192 <mss 1450,nop,nop,sackOK> (DF)
21:39:19.933014 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www: . 
ack 3043294222 win 8700 (DF)
21:39:19.969801 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www: P 
0:585(585) ack 1 win 8700 (DF)
21:39:20.214276 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www: . 
ack 2 win 8700 (DF)
21:39:20.219866 pD9540771.dip.t-dialin.net.64131 > my.machine.com.www: F 
585:585(0) ack 2 win 8700 (DF)

There is the tcpdump of one of the connections that caused the error

--Mike



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message