Security Incidents mailing list archives
Re: Interesting Logs
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Thu, 14 Sep 2000 11:04:23 -0500
Max wrote:
Sep 7 16:56:14 flux kernel: Security: return onto stack running as UID 99, EUID 99, proccess httpd:335 Sep 7 16:56:14 flux kernel: Security: more returns onto the stack, logging disabled, UID 99, EUID 99, process httpd:331 Sep 7 16:57:40 flux kernel: Security: return onto stack running as UID 99, EUID 99, process httpd:331 I found these entries (from Solar-Designers non-exec stack patch), in my logs today. The box in question is Slackware 7.1 (i386) with all available patches, and alot of security work put into it. I had heard rumors from several people about a heap overflow for Apache 1.3.9, this machine is running Apache 1.3.12+php(stable).
Woah. What version of PHP is installed? What kind of dynamic content is served from your web server? Correlate the date/time of the log with those in your access_log files and determine what request caused this to happen (that is, unless apache crashed before it logged it). If you find something out, please share! -HD
Current thread:
- Interesting Logs Max (Sep 14)
- Re: Interesting Logs H D Moore (Sep 14)