Re: apache problem

From: cory (loonat_private)
Date: Tue Oct 15 2002 - 06:53:18 PDT

Next message: Alex Boge: "Help me identify this IIS DoS attack"

Previous message: Jonathan A. Zdziarski: "RE: apache problem"
In reply to: Andre Guimaraes: "apache problem"
Next in thread: Bob Johnson: "Re: apache problem"
Reply: Bob Johnson: "Re: apache problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a DoS from the chunk encoding exploits produced earlier this year.

http://httpd.apache.org/info/security_bulletin_20020617.txt

cheers,
loon

Andre Guimaraes wrote:

>Hi all,
>
>I have one webserver dedicated for a client communication running apache
>1.3.22-6 on linux red hat 7.3 and almost unused. Today the machine had no
>memory or swap left (1 gig memory,512 meg swap). Analyzing the error logs I
>found this:
>
>Lots of in /var/log/messages:
>Oct 12 20:31:24 web01 kernel: Out of Memory: Killed process 1023 (httpd).
>Oct 12 20:31:52 web01 kernel: Out of Memory: Killed process 1016 (httpd).
>Oct 12 20:32:22 web01 kernel: Out of Memory: Killed process 1020 (httpd).
>Oct 12 20:34:04 web01 kernel: Out of Memory: Killed process 1026 (httpd).
>Oct 12 20:34:53 web01 kernel: Out of Memory: Killed process 1025 (httpd).
>Oct 12 20:35:55 web01 kernel: Out of Memory: Killed process 1031 (httpd).
>
>Lots of this in error log:
>[Sat Oct 12 20:41:44 2002] [error] child process 1227 still did not exit,
>sending a SIGKILL
>[Sat Oct 12 20:41:44 2002] [error] child process 1228 still did not exit,
>sending a SIGKILL
>[Sat Oct 12 20:41:46 2002] [error] could not make child process 1072 exit,
>attempting to continue anyway
>[Sat Oct 12 20:41:46 2002] [error] could not make child process 1080 exit,
>attempting to continue anyway
>
>Few minutes before in error log:
>[Sat Oct 12 20:16:19 2002] [error] [client 217.223.216.186] client sent
>HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
>
>[Sat Oct 12 20:21:09 2002] [error] [client 207.99.78.36] request failed:
>erroneous characters after protocol string: CONNECT maila.microsoft.com:25 /
>HTTP/1.0
>
>This connect maila looks like someone trying to find some kind of proxy.
>What about the empty hostname? I cant figure out why that happened.
>
>Thanks
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com
>
>




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Alex Boge: "Help me identify this IIS DoS attack"
Previous message: Jonathan A. Zdziarski: "RE: apache problem"
In reply to: Andre Guimaraes: "apache problem"
Next in thread: Bob Johnson: "Re: apache problem"
Reply: Bob Johnson: "Re: apache problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 19:04:00 PDT