Hi, On Wed, 26 Jun 2002, Brett Glass wrote: > This evening, I returned from dinner to find that my Apache 2.0.39 Web > server, running on FreeBSD, was completely unresponsive. A "ps" command > revealed that the server had spawned dozens of child processes. And the > error log had filled up with messages that looked like this: > > [Wed Jun 26 21:28:36 2002] [warn] child process 164 still did not exit, > sending a SIGTERM [...] > ...and many more similar messages. These were followed by a continuous > stream of messages like the following: > > httpd in free(): warning: page is already free [...] > It doesn't LOOK as if anyone broke in, but the fact that the Web server > was tied up in knots until I shut it down and restarted it is disturbing. > Anyone else seeing such activity? looks like your box is under fire from someone who tries to break in through the well-published apache chunked request vulnerability, probably even using apache-scalp.c, which was published on bugtraq last week. i noticed similar behavior of my apache 1.3.24 before updating to 1.3.26 when scanning it in "brute-force" mode with the binary compiled from apache-scalp.c, apache 1.3.26, however, seems to ignore that kind of error, or at least not log it. while scanning this version, all i could see in the access log was "regular" loglines for a "GET / HTTP/1.1" and a casual http-error 200 (Bad Request) in the error log. also, i'm not experiencing any performance problems, even when "scalping" the server from a box that's connected to it via a 100mbit switch. maybe this is an apache-2.x-only problem. tobias. -- NOC Hamster - Security Guy - Owner of one, root of many Tobias Rosenstock - jeedi@crew-kg.de - jeediat_private - mailat_private Wieske's Crew KG - http://irz42.net - http://www.crew-kg.de Humboldtstr. 51 - Lessingstr. - 22083 Hamburg - Germany ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 17:13:00 PDT