> > I have the exact same problem on RedHat 7.2 with apache-1.3.22-6. It > appears to be CodeRed attempts causing a denial of service through > apache. Yes this problem does exist. I first found it happening on the day codered hit to my machine. If you use error pages with ssi tags this happens. It is in the apache changelog. I even posted some data on my site about it back in the day. I couldn't reporoduce it manually either.... My machine only had httpd proccesses segfaulting not sucking up all the cpu though. - zenoat_private > > [Mon Oct 14 22:45:05 2002] [error] [client 140.121.175.22] Client sent > malformed Host header > > 140.121.175.22 - - [14/Oct/2002:22:45:05 -0500] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00 > c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 334 "-" "-" > > This causes the cpu to reach 100% and the httpd process consumes all > available memory until the kernel kills the process (often 1 hour > later). I am unable to reproduce this behavior, even by manually > sending the exact string to apache. Several other apache daemons > running on the same OS, though compiled and not installed from binary > rpm, are not affected. > > Ryan > > On Sat, 2002-10-12 at 16:05, Andre Guimaraes wrote: > > Hi all, > > > > I have one webserver dedicated for a client communication running apache > > 1.3.22-6 on linux red hat 7.3 and almost unused. Today the machine had no > > memory or swap left (1 gig memory,512 meg swap). Analyzing the error logs I > > found this: > > > > Lots of in /var/log/messages: > > Oct 12 20:31:24 web01 kernel: Out of Memory: Killed process 1023 (httpd). > > Oct 12 20:31:52 web01 kernel: Out of Memory: Killed process 1016 (httpd). > > Oct 12 20:32:22 web01 kernel: Out of Memory: Killed process 1020 (httpd). > > Oct 12 20:34:04 web01 kernel: Out of Memory: Killed process 1026 (httpd). > > Oct 12 20:34:53 web01 kernel: Out of Memory: Killed process 1025 (httpd). > > Oct 12 20:35:55 web01 kernel: Out of Memory: Killed process 1031 (httpd). > > > > Lots of this in error log: > > [Sat Oct 12 20:41:44 2002] [error] child process 1227 still did not exit, > > sending a SIGKILL > > [Sat Oct 12 20:41:44 2002] [error] child process 1228 still did not exit, > > sending a SIGKILL > > [Sat Oct 12 20:41:46 2002] [error] could not make child process 1072 exit, > > attempting to continue anyway > > [Sat Oct 12 20:41:46 2002] [error] could not make child process 1080 exit, > > attempting to continue anyway > > > > Few minutes before in error log: > > [Sat Oct 12 20:16:19 2002] [error] [client 217.223.216.186] client sent > > HTTP/1.1 request without hostname (see RFC2616 section 14.23): / > > > > [Sat Oct 12 20:21:09 2002] [error] [client 207.99.78.36] request failed: > > erroneous characters after protocol string: CONNECT maila.microsoft.com:25 / > > HTTP/1.0 > > > > This connect maila looks like someone trying to find some kind of proxy. > > What about the empty hostname? I cant figure out why that happened. > > > > Thanks > > > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 13:59:39 PDT