httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Moshe Gurvich" <mo...@kabbalah.com>
Subject Re: Is it an attack or what?
Date Wed, 14 Aug 2002 08:27:24 GMT
I don't have problem with apache and ssl - everything works fine, but this
morning from 5:47 to 8:47 there was gap in service and that's what i found
in logs.

As I could see only 12.252.233.13 made this reaction in logs...

I have OpenSSL/0.9.6d and yes, i installed it without recompiling apache,
because i'm installing all of them with RPMs.
Should i reinstall apache RPM?

I upgraded following security advisory about OpenSSL.

Btw, what can you say about
http://www.theregister.co.uk/content/4/26620.html ?

Thank you
----- Original Message -----
From: "Boyle Owen" <Owen.Boyle@swx.com>
To: <users@httpd.apache.org>
Sent: Wednesday, August 14, 2002 1:18 AM
Subject: RE: Is it an attack or what?


I don't think this is any kind of attack - rather the "unclean shutdown"
message indicates that the SSL transaction did not complete. A normal
sequence is:

- client requests server public key,
- server sends public key,
- client and server negotiate session cipher,
- client encrypts session key and sends it,
- server decrypts session key (using private key)
- client and server now have SSL session key (SSL channel up)
- client sends encrypted request
- server replies with encrypted response
- session over

If somewhere along the way the client or server process dies, you'll get an
unclean shutdown. Given the seg faults you see in the error_log, I'd guess
that any apache daemon which gets an SSL request is dying when it enters the
mod_ssl area of code. Assuming you didn't hack the mod_ssl or openssl code
at some point, the most likely explanation would be a mismatch of versions
between apache, mod_ssl and openssl. Your apache and mod_ssl version look
OK, but crucially, your openssl version got chopped off in the text below!

There was a security advisory regarding openssl a few days ago... Did you
perhaps upgrade the openssl libraries without recompiling apache?

Otherwise, does SSL access to your site work from any other client or is it
just 12.252.233.13 which has the problem?

Rgds,

Owen Boyle

>-----Original Message-----
>From: Moshe Gurvich [mailto:moshe@kabbalah.com]
>Sent: Dienstag, 13. August 2002 20:06
>To: users@httpd.apache.org
>Subject: Is it an attack or what?
>
>
>Hi,
>Our website was down for 3 hours this morning and I saw in
>/var/log/httpd/access_log some weird thing that i have attached.
>
>Also, in /var/log/httpd/error_log there was this restart notice:
>
>------------8<-----------8<-----------8<-------------
>[Tue Aug 13 05:38:53 2002] [notice] child pid 31833 exit
>signal Segmentation
>fault (11)
>[Tue Aug 13 05:43:39 2002] [notice] child pid 31933 exit
>signal Segmentation
>fault (11)
>[Tue Aug 13 05:56:04 2002] [notice] child pid 32063 exit
>signal Segmentation
>fault (11)
>[Tue Aug 13 08:47:56 2002] [notice]
>Apache-AdvancedExtranetServer/1.3.26
>(Mandrake Linux/2mdk) PHP/4.2.1 mod_ssl/2.8.10 OpenSSL/0.9.
>[Tue Aug 13 08:47:56 2002] [notice] Accept mutex: sysvsem
>(Default: sysvsem)
>[Tue Aug 13 08:51:14 2002] [notice] child pid 1614 exit signal
>Segmentation
>fault (11)
>------------8<-----------8<-----------8<-------------
>
>Anyone knows what that means (attached file) ?
>Is it some kind of SSL attack?
>
>Also, i have those segmentation faults all the time, why is
>this happening?
>
>Thank you for any info,
>
>M.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message