Security Incidents mailing list archives

Re: New worm segfaults apache

From: Chris Hardie <chris () summersault com>
Date: Tue, 18 Sep 2001 18:14:26 -0500 (EST)


We're presently experiencing the same behavior on FreeBSD 4.3 with Apache
1.3.20 mod_ssl/2.8.4 OpenSSL/0.9.6b.  It seems to be load related: we have
several other boxes on the network with the same config/versions, but that
are much lower load and aren't experiencing the segfaults.  For reference,
the one that IS having problems is serving 3.29 requests/sec - 17.0
kB/second - 5.2 kB/request.  The normal load is about 1.7 requests/sec.

Any ideas on what's causing this, or a good way to track/truss the child
process to see what it's doing when it dies?

Chris


On Tue, 18 Sep 2001, Chip McClure wrote:

Which version of apache, and what OS are you running?

Running Apache 2.0.16, FreeBSD 4.3 - never had a segfault - and a ton of
probes against it.

----
Chip McClure
Sr Unix Administrator
GigGuardian, Inc.

http://www.gigguardian.com/
----

On Tue, 18 Sep 2001, bugtraq wrote:

Hello,


Over 15 times my apache has segfaulted whenever I get scanned by this worm.

Sep 18 13:30:15 cgisecurity /kernel: pid 35290 (httpd), uid 1003: exited on signal 11
Sep 18 13:38:03 cgisecurity /kernel: pid 35390 (httpd), uid 1003: exited on signal 11
Sep 18 14:06:00 cgisecurity /kernel: pid 35391 (httpd), uid 1003: exited on signal 11
Sep 18 14:20:51 cgisecurity /kernel: pid 35453 (httpd), uid 1003: exited on signal 11
Sep 18 15:27:22 cgisecurity /kernel: pid 35740 (httpd), uid 1003: exited on signal 11
^C

Any idea why apache is segfaulting? I have 250 megs of free ram without proccess limits and
it segfaults. Also I tried every string and have been unable to replicate it manually.

- admin () cgisecurity com



-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

  Chris Hardie - Principal
  Summersault, LLC - website development
  ph: 765-939-9301 x221  fax: 765-935-6798
  914 E. Main St., Richmond, IN 47374
  mailto:chris () summersault com
  http://www.summersault.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New worm segfaults apache bugtraq (Sep 18)
- Re: New worm segfaults apache Chip McClure (Sep 18)
  - Re: New worm segfaults apache hanz (Sep 18)
    - RE: New worm segfaults apache robh (Sep 18)
  - Re: New worm segfaults apache Chris Hardie (Sep 18)
    - Re: New worm segfaults apache Sean Chittenden (Sep 19)
- <Possible follow-ups>
- RE: New worm segfaults apache Chris Arnold (Sep 18)
- Re: New worm segfaults apache bugtraq (Sep 19)
  - Re: New worm segfaults apache Marc Slemko (Sep 21)