Security Incidents mailing list archives

Re: apache problem

From: cory <loon () loadedpenguin com>
Date: Tue, 15 Oct 2002 08:53:18 -0500

This is a DoS from the chunk encoding exploits produced earlier this year.

http://httpd.apache.org/info/security_bulletin_20020617.txt

cheers,
loon

Andre Guimaraes wrote:

Hi all,

I have one webserver dedicated for a client communication running apache
1.3.22-6 on linux red hat 7.3 and almost unused. Today the machine had no
memory or swap left (1 gig memory,512 meg swap). Analyzing the error logs I
found this:

Lots of in /var/log/messages:
Oct 12 20:31:24 web01 kernel: Out of Memory: Killed process 1023 (httpd).
Oct 12 20:31:52 web01 kernel: Out of Memory: Killed process 1016 (httpd).
Oct 12 20:32:22 web01 kernel: Out of Memory: Killed process 1020 (httpd).
Oct 12 20:34:04 web01 kernel: Out of Memory: Killed process 1026 (httpd).
Oct 12 20:34:53 web01 kernel: Out of Memory: Killed process 1025 (httpd).
Oct 12 20:35:55 web01 kernel: Out of Memory: Killed process 1031 (httpd).

Lots of this in error log:
[Sat Oct 12 20:41:44 2002] [error] child process 1227 still did not exit,
sending a SIGKILL
[Sat Oct 12 20:41:44 2002] [error] child process 1228 still did not exit,
sending a SIGKILL
[Sat Oct 12 20:41:46 2002] [error] could not make child process 1072 exit,
attempting to continue anyway
[Sat Oct 12 20:41:46 2002] [error] could not make child process 1080 exit,
attempting to continue anyway

Few minutes before in error log:
[Sat Oct 12 20:16:19 2002] [error] [client 217.223.216.186] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

[Sat Oct 12 20:21:09 2002] [error] [client 207.99.78.36] request failed:
erroneous characters after protocol string: CONNECT maila.microsoft.com:25 /
HTTP/1.0

This connect maila looks like someone trying to find some kind of proxy.
What about the empty hostname? I cant figure out why that happened.

Thanks

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

apache problem Andre Guimaraes (Oct 14)
- Re: apache problem Ryan Sweat (Oct 15)
  - Re: apache problem zeno (Oct 15)
  - RE: apache problem Jonathan A. Zdziarski (Oct 15)
    - Re: apache problem Bob Johnson (Oct 16)
- Re: apache problem SZALAY Attila (Oct 15)
- Re: apache problem cory (Oct 15)
  - Re: apache problem Bob Johnson (Oct 16)
- Re: apache problem Hugo van der Kooij (Oct 15)
  - Re: apache problem Homer Wilson Smith (Oct 16)
    - Re: apache problem Hugo van der Kooij (Oct 16)
    - Re: apache problem Stephen Smoogen (Oct 17)
    - RE: apache problem Jonathan A. Zdziarski (Oct 18)
    - Re: apache problem Jason Giglio (Oct 18)
    - Re: apache problem Stephen Smoogen (Oct 18)
    - RE: apache problem Jonathan A. Zdziarski (Oct 18)