Re: New worm segfaults apache

From: Sean Chittenden (sean-securityfocus-incidentsat_private)
Date: Wed Sep 19 2001 - 02:23:17 PDT

Next message: ross_bushbyat_private: "Nimda - Local Privilege escalation?"

Previous message: vitalyat_private: "W32.Nimda disassembly/analysis"
In reply to: Chris Hardie: "Re: New worm segfaults apache"
Next in thread: Chris Arnold: "RE: New worm segfaults apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> We're presently experiencing the same behavior on FreeBSD 4.3 with Apache
> 1.3.20 mod_ssl/2.8.4 OpenSSL/0.9.6b.  It seems to be load related: we have
> several other boxes on the network with the same config/versions, but that
> are much lower load and aren't experiencing the segfaults.  For reference,
> the one that IS having problems is serving 3.29 requests/sec - 17.0
> kB/second - 5.2 kB/request.  The normal load is about 1.7 requests/sec.
> 
> Any ideas on what's causing this, or a good way to track/truss the child
> process to see what it's doing when it dies?

Dime to dollar this is bad hardware and not something that's triggering a
hidden and previously unknown bug in Apache or FreeBSD (both pieces of
software are the epitome of stability and robustness).  As for your
correlation to load, this is probably the first time your box has
received any appreciable amount of traffic.  If you benchmark your
system, I bet you'll see the same thing.  It's easy to think increased
load + SEGV = exploit, but often times it's just bringing out a long
time resident hardware problem.  -sc

> > > Over 15 times my apache has segfaulted whenever I get scanned by this worm.
> > >
> > > Sep 18 13:30:15 cgisecurity /kernel: pid 35290 (httpd), uid 1003: exited on signal 11
> > > Sep 18 13:38:03 cgisecurity /kernel: pid 35390 (httpd), uid 1003: exited on signal 11
> > > Sep 18 14:06:00 cgisecurity /kernel: pid 35391 (httpd), uid 1003: exited on signal 11
> > > Sep 18 14:20:51 cgisecurity /kernel: pid 35453 (httpd), uid 1003: exited on signal 11
> > > Sep 18 15:27:22 cgisecurity /kernel: pid 35740 (httpd), uid 1003: exited on signal 11
> > > ^C
> > >
> > > Any idea why apache is segfaulting? I have 250 megs of free ram without proccess limits and
> > > it segfaults. Also I tried every string and have been unable to replicate it manually.

-- 
Sean Chittenden

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: ross_bushbyat_private: "Nimda - Local Privilege escalation?"
Previous message: vitalyat_private: "W32.Nimda disassembly/analysis"
In reply to: Chris Hardie: "Re: New worm segfaults apache"
Next in thread: Chris Arnold: "RE: New worm segfaults apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 08:34:14 PDT