httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Beard <j...@cyberxape.com>
Subject RE: 1.3.26 Exploit? or something I'm overlooking
Date Mon, 24 Jun 2002 14:25:58 GMT
According to what I've read on bugtraq, that's symptomatic of
a chunk encoding exploit: syslog notices and nothing in the
Apache logs.

The snort folks have added a signature for chunking exploits
if want to try a different packet sniffer (www.snort.org).

--Jeff

On Sun, 23 Jun 2002, Mike Roest wrote:

> The weird thing is there are no logs of the requests which leads me to
> believe he's trying something similar to the chunk exploit.  This case
> there was more then one conneciton.  In the previouse case there was
> only one connection made to the box that made the child processes fail
> over and over again.  I think I will send this to the security email in
> the morning as I think there are some left overs of the chunk bug still
> in 1.3.26.
>
> --Mike
>
> -----Original Message-----
> From: mike [mailto:ruler@isolate.net]
> Sent: Sunday, June 23, 2002 10:25 PM
> To: users@httpd.apache.org
> Subject: Re: 1.3.26 Exploit? or something I'm overlooking
>
>
> Is he requesting the same URL over and over? If he is, he may be trying
> to
> use the chunk exploit on your server, and could be a bug in 1.3.26 that
> is
> causing your server to crash.  Is there a core file? Perhaps debugging
> will
> lead you to an answer.
>
> Thanks.

--
Jeff Beard | Systems Architect, Programmer, Sysadmin
Contact    | jeff at cyberxape dot com, 303.443.9339
Location   | In front of the computer, Boulder, CO, USA


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message