Security Incidents mailing list archives
Re: New worm segfaults apache
From: Sean Chittenden <sean-securityfocus-incidents () chittenden org>
Date: Wed, 19 Sep 2001 02:23:17 -0700
We're presently experiencing the same behavior on FreeBSD 4.3 with Apache 1.3.20 mod_ssl/2.8.4 OpenSSL/0.9.6b. It seems to be load related: we have several other boxes on the network with the same config/versions, but that are much lower load and aren't experiencing the segfaults. For reference, the one that IS having problems is serving 3.29 requests/sec - 17.0 kB/second - 5.2 kB/request. The normal load is about 1.7 requests/sec. Any ideas on what's causing this, or a good way to track/truss the child process to see what it's doing when it dies?
Dime to dollar this is bad hardware and not something that's triggering a hidden and previously unknown bug in Apache or FreeBSD (both pieces of software are the epitome of stability and robustness). As for your correlation to load, this is probably the first time your box has received any appreciable amount of traffic. If you benchmark your system, I bet you'll see the same thing. It's easy to think increased load + SEGV = exploit, but often times it's just bringing out a long time resident hardware problem. -sc
Over 15 times my apache has segfaulted whenever I get scanned by this worm. Sep 18 13:30:15 cgisecurity /kernel: pid 35290 (httpd), uid 1003: exited on signal 11 Sep 18 13:38:03 cgisecurity /kernel: pid 35390 (httpd), uid 1003: exited on signal 11 Sep 18 14:06:00 cgisecurity /kernel: pid 35391 (httpd), uid 1003: exited on signal 11 Sep 18 14:20:51 cgisecurity /kernel: pid 35453 (httpd), uid 1003: exited on signal 11 Sep 18 15:27:22 cgisecurity /kernel: pid 35740 (httpd), uid 1003: exited on signal 11 ^C Any idea why apache is segfaulting? I have 250 megs of free ram without proccess limits and it segfaults. Also I tried every string and have been unable to replicate it manually.
-- Sean Chittenden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New worm segfaults apache bugtraq (Sep 18)
- Re: New worm segfaults apache Chip McClure (Sep 18)
- Re: New worm segfaults apache hanz (Sep 18)
- RE: New worm segfaults apache robh (Sep 18)
- Re: New worm segfaults apache Chris Hardie (Sep 18)
- Re: New worm segfaults apache Sean Chittenden (Sep 19)
- Re: New worm segfaults apache hanz (Sep 18)
- <Possible follow-ups>
- RE: New worm segfaults apache Chris Arnold (Sep 18)
- Re: New worm segfaults apache bugtraq (Sep 19)
- Re: New worm segfaults apache Marc Slemko (Sep 21)
- Re: New worm segfaults apache Chip McClure (Sep 18)