httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: Is it an attack or what?
Date Wed, 14 Aug 2002 08:18:00 GMT
I don't think this is any kind of attack - rather the "unclean shutdown" message indicates
that the SSL transaction did not complete. A normal sequence is:

- client requests server public key,
- server sends public key,
- client and server negotiate session cipher,
- client encrypts session key and sends it,
- server decrypts session key (using private key) 
- client and server now have SSL session key (SSL channel up)
- client sends encrypted request 
- server replies with encrypted response
- session over

If somewhere along the way the client or server process dies, you'll get an unclean shutdown.
Given the seg faults you see in the error_log, I'd guess that any apache daemon which gets
an SSL request is dying when it enters the mod_ssl area of code. Assuming you didn't hack
the mod_ssl or openssl code at some point, the most likely explanation would be a mismatch
of versions between apache, mod_ssl and openssl. Your apache and mod_ssl version look OK,
but crucially, your openssl version got chopped off in the text below!

There was a security advisory regarding openssl a few days ago... Did you perhaps upgrade
the openssl libraries without recompiling apache?

Otherwise, does SSL access to your site work from any other client or is it just 12.252.233.13
which has the problem?

Rgds,

Owen Boyle

>-----Original Message-----
>From: Moshe Gurvich [mailto:moshe@kabbalah.com]
>Sent: Dienstag, 13. August 2002 20:06
>To: users@httpd.apache.org
>Subject: Is it an attack or what?
>
>
>Hi,
>Our website was down for 3 hours this morning and I saw in
>/var/log/httpd/access_log some weird thing that i have attached.
>
>Also, in /var/log/httpd/error_log there was this restart notice:
>
>------------8<-----------8<-----------8<-------------
>[Tue Aug 13 05:38:53 2002] [notice] child pid 31833 exit 
>signal Segmentation
>fault (11)
>[Tue Aug 13 05:43:39 2002] [notice] child pid 31933 exit 
>signal Segmentation
>fault (11)
>[Tue Aug 13 05:56:04 2002] [notice] child pid 32063 exit 
>signal Segmentation
>fault (11)
>[Tue Aug 13 08:47:56 2002] [notice] 
>Apache-AdvancedExtranetServer/1.3.26
>(Mandrake Linux/2mdk) PHP/4.2.1 mod_ssl/2.8.10 OpenSSL/0.9.
>[Tue Aug 13 08:47:56 2002] [notice] Accept mutex: sysvsem 
>(Default: sysvsem)
>[Tue Aug 13 08:51:14 2002] [notice] child pid 1614 exit signal 
>Segmentation
>fault (11)
>------------8<-----------8<-----------8<-------------
>
>Anyone knows what that means (attached file) ?
>Is it some kind of SSL attack?
>
>Also, i have those segmentation faults all the time, why is 
>this happening?
>
>Thank you for any info,
>
>M.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message