I have the exact same problem on RedHat 7.2 with apache-1.3.22-6. It appears to be CodeRed attempts causing a denial of service through apache. [Mon Oct 14 22:45:05 2002] [error] [client 140.121.175.22] Client sent malformed Host header 140.121.175.22 - - [14/Oct/2002:22:45:05 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00 c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 334 "-" "-" This causes the cpu to reach 100% and the httpd process consumes all available memory until the kernel kills the process (often 1 hour later). I am unable to reproduce this behavior, even by manually sending the exact string to apache. Several other apache daemons running on the same OS, though compiled and not installed from binary rpm, are not affected. Ryan On Sat, 2002-10-12 at 16:05, Andre Guimaraes wrote: > Hi all, > > I have one webserver dedicated for a client communication running apache > 1.3.22-6 on linux red hat 7.3 and almost unused. Today the machine had no > memory or swap left (1 gig memory,512 meg swap). Analyzing the error logs I > found this: > > Lots of in /var/log/messages: > Oct 12 20:31:24 web01 kernel: Out of Memory: Killed process 1023 (httpd). > Oct 12 20:31:52 web01 kernel: Out of Memory: Killed process 1016 (httpd). > Oct 12 20:32:22 web01 kernel: Out of Memory: Killed process 1020 (httpd). > Oct 12 20:34:04 web01 kernel: Out of Memory: Killed process 1026 (httpd). > Oct 12 20:34:53 web01 kernel: Out of Memory: Killed process 1025 (httpd). > Oct 12 20:35:55 web01 kernel: Out of Memory: Killed process 1031 (httpd). > > Lots of this in error log: > [Sat Oct 12 20:41:44 2002] [error] child process 1227 still did not exit, > sending a SIGKILL > [Sat Oct 12 20:41:44 2002] [error] child process 1228 still did not exit, > sending a SIGKILL > [Sat Oct 12 20:41:46 2002] [error] could not make child process 1072 exit, > attempting to continue anyway > [Sat Oct 12 20:41:46 2002] [error] could not make child process 1080 exit, > attempting to continue anyway > > Few minutes before in error log: > [Sat Oct 12 20:16:19 2002] [error] [client 217.223.216.186] client sent > HTTP/1.1 request without hostname (see RFC2616 section 14.23): / > > [Sat Oct 12 20:21:09 2002] [error] [client 207.99.78.36] request failed: > erroneous characters after protocol string: CONNECT maila.microsoft.com:25 / > HTTP/1.0 > > This connect maila looks like someone trying to find some kind of proxy. > What about the empty hostname? I cant figure out why that happened. > > Thanks > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 09:45:11 PDT