Re: Apache goes berserk

From: Tobias Rosenstock (jeedi@Crew-KG.DE)
Date: Thu Jun 27 2002 - 14:09:25 PDT

Next message: RUSSELL T. LEWIS: "win2k server issue"

Previous message: HggdH: "Fw: spoofed packets to RFC 1918 addresses"
In reply to: Brett Glass: "Apache goes berserk"
Next in thread: Brett Glass: "Re: Apache goes berserk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On Wed, 26 Jun 2002, Brett Glass wrote:

> This evening, I returned from dinner to find that my Apache 2.0.39 Web
> server, running on FreeBSD, was completely unresponsive. A "ps" command
> revealed that the server had spawned dozens of child processes. And the
> error log had filled up with messages that looked like this:
>
> [Wed Jun 26 21:28:36 2002] [warn] child process 164 still did not exit,
> sending a SIGTERM
[...]

> ...and many more similar messages. These were followed by a continuous
> stream of messages like the following:
>
> httpd in free(): warning: page is already free
[...]

> It doesn't LOOK as if anyone broke in, but the fact that the Web server
> was tied up in knots until I shut it down and restarted it is disturbing.
> Anyone else seeing such activity?

looks like your box is under fire from someone who tries to break in
through the well-published apache chunked request vulnerability, probably
even using apache-scalp.c, which was published on bugtraq last week.

i noticed similar behavior of my apache 1.3.24 before updating to 1.3.26
when scanning it in "brute-force" mode with the binary compiled from
apache-scalp.c, apache 1.3.26, however, seems to ignore that kind of
error, or at least not log it. while scanning this version, all i could
see in the access log was "regular" loglines for a "GET / HTTP/1.1" and a
casual http-error 200 (Bad Request) in the error log.

also, i'm not experiencing any performance problems, even when "scalping"
the server from a box that's connected to it via a 100mbit switch. maybe
this is an apache-2.x-only problem.

tobias.
-- 
 NOC Hamster       - Security Guy      - Owner of one, root of many
 Tobias Rosenstock - jeedi@crew-kg.de  - jeediat_private  - mailat_private
 Wieske's Crew KG  - http://irz42.net  - http://www.crew-kg.de
 Humboldtstr. 51   - Lessingstr.       - 22083 Hamburg - Germany

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: RUSSELL T. LEWIS: "win2k server issue"
Previous message: HggdH: "Fw: spoofed packets to RFC 1918 addresses"
In reply to: Brett Glass: "Apache goes berserk"
Next in thread: Brett Glass: "Re: Apache goes berserk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 17:13:00 PDT