It would be helpful if you could paste part of the access log or other packet capture which signifies what data is being sent to apache causing this to happen. RedHat's apache is known to have issues with CodeRed attempts. The solution is to upgrade to Apache 2.x or 1.3.27. RedHat has not released any errata that fixes this bug, you must install from source, unless of course you have RedHat 8 which ships with Apache 2.x. There was a thread on this list just last week pertaining to this. http://online.securityfocus.com/archive/75/296184/2002-10-16/2002-10-22/1 Ryan On Fri, 2002-10-25 at 10:59, rsavageat_private wrote: > We upgraded to apache 1.3.26 from apache 1.3.24 during the time the > `Apache Web Server Chunk Handling Vulnerability' was released, but > still seeing these: > > > [Fri Aug 23 08:30:35 2002] [notice] child pid 50775 exit signal > Segmentation fault (11) > [Fri Aug 23 08:49:31 2002] [notice] child pid 51990 exit signal > Segmentation fault (11) > [Fri Aug 23 09:31:56 2002] [notice] child pid 55712 exit signal > Segmentation fault (11) > [Fri Aug 23 10:32:20 2002] [notice] child pid 60289 exit signal > Segmentation fault (11) > [Fri Aug 23 10:45:33 2002] [notice] child pid 61593 exit signal > Segmentation fault (11) > [Fri Aug 23 10:55:37 2002] [notice] child pid 62832 exit signal Bus error > (10) > [Fri Aug 23 11:43:24 2002] [notice] child pid 65789 exit signal Bus error > (10) > [Fri Aug 23 12:14:07 2002] [notice] child pid 69531 exit signal > Segmentation fault (11) > [Fri Aug 23 13:04:01 2002] [notice] child pid 73722 exit signal > Segmentation fault (11) > > dmesg.yesterday:pid 32987 (httpd), uid 65534: exited on signal 10 > dmesg.yesterday:Oct 22 14:07:09 robin /kernel: pid 32987 (httpd), uid > 65534: exited on signal 10 > messages:Oct 22 14:07:09 robin /kernel: pid 32987 (httpd), uid 65534: > exited on signal 10 > > Server version: Apache/1.3.26 (Unix) > Server built: Jun 20 2002 10:14:35 > > Compiled-in modules: > http_core.c > mod_env.c > mod_log_config.c > mod_mime.c > mod_negotiation.c > mod_status.c > mod_include.c > mod_autoindex.c > mod_dir.c > mod_cgi.c > mod_asis.c > mod_imap.c > mod_actions.c > mod_userdir.c > mod_alias.c > mod_rewrite.c > mod_access.c > mod_auth.c > mod_proxy.c > mod_usertrack.c > mod_unique_id.c > mod_setenvif.c > mod_perl.c > suexec: disabled; invalid wrapper /etc/httpd/bin/suexec > > > Is there something else out there, another DoS attack? > > -- > Rory Savage, Senior Systems Administrator > Nando Media: www.nandomedia.com > email: rsavageat_private > aol im (PiasElihU) > 919-836-5987 (Office) > > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Oct 26 2002 - 14:03:01 PDT