Security Incidents mailing list archives

Re: New worm segfaults apache

From: Sean Chittenden <sean-securityfocus-incidents () chittenden org>
Date: Wed, 19 Sep 2001 02:23:17 -0700

We're presently experiencing the same behavior on FreeBSD 4.3 with Apache
1.3.20 mod_ssl/2.8.4 OpenSSL/0.9.6b.  It seems to be load related: we have
several other boxes on the network with the same config/versions, but that
are much lower load and aren't experiencing the segfaults.  For reference,
the one that IS having problems is serving 3.29 requests/sec - 17.0
kB/second - 5.2 kB/request.  The normal load is about 1.7 requests/sec.

Any ideas on what's causing this, or a good way to track/truss the child
process to see what it's doing when it dies?


Dime to dollar this is bad hardware and not something that's triggering a
hidden and previously unknown bug in Apache or FreeBSD (both pieces of
software are the epitome of stability and robustness).  As for your
correlation to load, this is probably the first time your box has
received any appreciable amount of traffic.  If you benchmark your
system, I bet you'll see the same thing.  It's easy to think increased
load + SEGV = exploit, but often times it's just bringing out a long
time resident hardware problem.  -sc

Over 15 times my apache has segfaulted whenever I get scanned by this worm.

Sep 18 13:30:15 cgisecurity /kernel: pid 35290 (httpd), uid 1003: exited on signal 11
Sep 18 13:38:03 cgisecurity /kernel: pid 35390 (httpd), uid 1003: exited on signal 11
Sep 18 14:06:00 cgisecurity /kernel: pid 35391 (httpd), uid 1003: exited on signal 11
Sep 18 14:20:51 cgisecurity /kernel: pid 35453 (httpd), uid 1003: exited on signal 11
Sep 18 15:27:22 cgisecurity /kernel: pid 35740 (httpd), uid 1003: exited on signal 11
^C

Any idea why apache is segfaulting? I have 250 megs of free ram without proccess limits and
it segfaults. Also I tried every string and have been unable to replicate it manually.


-- 
Sean Chittenden

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New worm segfaults apache bugtraq (Sep 18)
- Re: New worm segfaults apache Chip McClure (Sep 18)
  - Re: New worm segfaults apache hanz (Sep 18)
    - RE: New worm segfaults apache robh (Sep 18)
  - Re: New worm segfaults apache Chris Hardie (Sep 18)
    - Re: New worm segfaults apache Sean Chittenden (Sep 19)
- <Possible follow-ups>
- RE: New worm segfaults apache Chris Arnold (Sep 18)
- Re: New worm segfaults apache bugtraq (Sep 19)
  - Re: New worm segfaults apache Marc Slemko (Sep 21)