Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 888DA9A92 for ; Sun, 12 Feb 2012 23:12:32 +0000 (UTC) Received: (qmail 86911 invoked by uid 500); 12 Feb 2012 23:12:29 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 86835 invoked by uid 500); 12 Feb 2012 23:12:28 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 86827 invoked by uid 99); 12 Feb 2012 23:12:28 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Feb 2012 23:12:28 +0000 X-ASF-Spam-Status: No, hits=-0.1 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of noel.butler@ausics.net designates 27.33.160.23 as permitted sender) Received: from [27.33.160.23] (HELO valhalla.ausics.net) (27.33.160.23) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Feb 2012 23:12:22 +0000 Received: from [10.10.0.145] (tardis.ausics.net [10.10.0.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by valhalla.ausics.net (Postfix) with ESMTPSA id AA4E7C0E858 for ; Mon, 13 Feb 2012 09:12:00 +1000 (EST) From: Noel Butler To: users@httpd.apache.org In-Reply-To: <4F380CAC.90301@yahoo.es> References: <4F380CAC.90301@yahoo.es> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-GWs5n7XqFHZzgOo3YUb4" Date: Mon, 13 Feb 2012 09:12:00 +1000 Message-ID: <1329088320.7582.17.camel@tardis> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Subject: Re: [users@httpd] w00t and Dfind web scanner --=-GWs5n7XqFHZzgOo3YUb4 Content-Type: multipart/alternative; boundary="=-oPs114p9tZGkymK3YGhw" --=-oPs114p9tZGkymK3YGhw Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable On Sun, 2012-02-12 at 20:02 +0100, Miguel Gonz=E1lez Casta=F1os wrote: > Dear all, >=20 > I'm the system admin of a web server and I found these errors in my=20 > apache logs: >=20 > [Tue Feb 07 10:35:08 2012] [warn] (43)Identifier removed: Failed to=20 > release SSL session cache lock > [Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to=20 > acquire SSL session cache lock > [Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to=20 > release SSL session cache lock > [Tue Feb 07 10:36:05 2012] [warn] child process 21599 still did not=20 > exit, sending a SIGTERM > [Tue Feb 07 10:36:06 2012] [notice] caught SIGTERM, shutting down >=20 > also some traces of Dfind web scanner: >=20 > [Mon Feb 06 05:54:01 2012] [error] [client 88.46.75.27] client sent=20 > HTTP/1.1 request without hostname (see RFC2616 section 14.23):=20 > /w00tw00t.at.ISC.SANS.DFind:) >=20 Wouldn't worry too much, the world is full of scan scripts, both good, and some bad. > I have added a rule into my iptables to block this and so far so good >=20 > However I don't know how these "failed to release SSL session cache=20 > lock" managed to bring my apache server down and if they are somehow=20 > related to these Dfind scans. >=20 What OS, kernel, httpd version? If linux, /var/log/messages|kernel_log|daemon_log can also often give some indication of problems. --=-oPs114p9tZGkymK3YGhw Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Sun, 2012-02-12 at 20:02 +0100, Miguel González Castaños wrote= : 
Dear all,

   I'm the system admin of a web server and I found these errors in my=20
apache logs:

[Tue Feb 07 10:35:08 2012] [warn] (43)Identifier removed: Failed to=20
release SSL session cache lock
[Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to=20
acquire SSL session cache lock
[Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to=20
release SSL session cache lock
[Tue Feb 07 10:36:05 2012] [warn] child process 21599 still did not=20
exit, sending a SIGTERM
[Tue Feb 07 10:36:06 2012] [notice] caught SIGTERM, shutting down

also some traces of Dfind web scanner:

[Mon Feb 06 05:54:01 2012] [error] [client 88.46.75.27] client sent=20
HTTP/1.1 request without hostname (see RFC2616 section 14.23):=20
/w00tw00t.at.ISC.SANS.DFind:)
Wouldn't worry too much, the world is full of scan scripts, both good, and = some bad.

I have added a rule into my iptables to block this and so far so good

However I don't know how these "failed to release SSL session cache=20
lock" managed to bring my apache server down and if they are somehow=20
related to these Dfind scans.

What OS, kernel, httpd version?
If linux, /var/log/messages|kernel_log|daemon_log   can also ofte= n give some indication of problems.

--=-oPs114p9tZGkymK3YGhw-- --=-GWs5n7XqFHZzgOo3YUb4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAABAgAGBQJPOEc/AAoJECg/hgl/0DbH3a4H/2A5TGd4HsEImkrPeH7/aNeo PxqxTwYhM1B5syRlkbexWYnMa63KITYQOsv0p0inuaaObWJW3zhKedEahaMsHivL 6F5MRlmn+Y6uWT2o3wWeHHSvBNyNDd9PIzQot25c2ysrmabQk5s5NJg9MMzB+9gj ZELHZl90ZzPUXEUavDlS1GRvp0zdB05CQnyNCnwrcsb4gtb52WCOCNsqWmpzvOXS XRU1jUxjRXiJhxZqJOh2KCdcYh/Y2MLLboeIT9FxQAuRqs4lX8iRzFRMxo/7dWRz AHvER6WSAHmPx0WIRFxj/f1yB7kQAeR5bzjHhotDIjgTshldnmojb5TzVsC8yNg= =brWb -----END PGP SIGNATURE----- --=-GWs5n7XqFHZzgOo3YUb4--