On Tuesday 15 October 2002 01:05 pm, Jonathan A. Zdziarski appears to have written: > I would strace the httpd process(es) when this occurs to find out > what it's spinning on; perhaps your being unable to reproduce it has > something to do with the state of the connection (e.g. not closing > properly), so you might consider also a netstat when you see one of > these pop up in the logs. I'm unable to reproduce this on my 1.3.26 > installations but that's no surprise if it can't even be reproduced > it on the commandline. My recollection is that what gets logged for Code Red is not exactly the packet that was received. It gets part way through the decoding process before it is logged. - Bob > > > > -----Original Message----- > From: Ryan Sweat [mailto:rsweatat_private] > Sent: Tuesday, October 15, 2002 12:24 AM > To: Andre Guimaraes > Cc: 'incidentsat_private' > Subject: Re: apache problem > > > I have the exact same problem on RedHat 7.2 with apache-1.3.22-6. It > appears to be CodeRed attempts causing a denial of service through > apache. > > [Mon Oct 14 22:45:05 2002] [error] [client 140.121.175.22] Client > sent malformed Host header > > 140.121.175.22 - - [14/Oct/2002:22:45:05 -0500] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNN NNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNN NNNNNNNNNNNNNNNNNNNNNNNN > NN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% >u78 01%u9090%u9090%u8190%u00 > c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 334 "-" > "-" > > This causes the cpu to reach 100% and the httpd process consumes all > available memory until the kernel kills the process (often 1 hour > later). I am unable to reproduce this behavior, even by manually > sending the exact string to apache. Several other apache daemons > running on the same OS, though compiled and not installed from binary > rpm, are not affected. > > Ryan > > On Sat, 2002-10-12 at 16:05, Andre Guimaraes wrote: > > Hi all, > > > > I have one webserver dedicated for a client communication running > > apache 1.3.22-6 on linux red hat 7.3 and almost unused. Today the > > machine had no memory or swap left (1 gig memory,512 meg swap). > > Analyzing the error logs I found this: > > > > Lots of in /var/log/messages: > > Oct 12 20:31:24 web01 kernel: Out of Memory: Killed process 1023 > > (httpd). Oct 12 20:31:52 web01 kernel: Out of Memory: Killed > > process 1016 (httpd). Oct 12 20:32:22 web01 kernel: Out of Memory: > > Killed process 1020 (httpd). Oct 12 20:34:04 web01 kernel: Out of > > Memory: Killed process 1026 (httpd). Oct 12 20:34:53 web01 kernel: > > Out of Memory: Killed process 1025 (httpd). Oct 12 20:35:55 web01 > > kernel: Out > > > > of Memory: Killed process 1031 (httpd). > > > > Lots of this in error log: > > [Sat Oct 12 20:41:44 2002] [error] child process 1227 still did not > > exit, sending a SIGKILL [Sat Oct 12 20:41:44 2002] [error] child > > process 1228 still did not exit, sending a SIGKILL > > [Sat Oct 12 20:41:46 2002] [error] could not make child process > > 1072 > > exit, > > > attempting to continue anyway > > [Sat Oct 12 20:41:46 2002] [error] could not make child process > > 1080 > > exit, > > > attempting to continue anyway > > > > Few minutes before in error log: > > [Sat Oct 12 20:16:19 2002] [error] [client 217.223.216.186] client > > sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): > > / > > > > [Sat Oct 12 20:21:09 2002] [error] [client 207.99.78.36] request > > failed: erroneous characters after protocol string: CONNECT > > maila.microsoft.com:25 / HTTP/1.0 > > > > This connect maila looks like someone trying to find some kind of > > proxy. What about the empty hostname? I cant figure out why that > > happened. > > > > Thanks > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 16:24:49 PDT