Security Incidents mailing list archives

Re: apache problem

From: Bob Johnson <stest032 () garbonzo hos ufl edu>
Date: Tue, 15 Oct 2002 19:10:31 -0400

On Tuesday 15 October 2002 09:53 am, cory appears to have written:

This is a DoS from the chunk encoding exploits produced earlier this
year.

http://httpd.apache.org/info/security_bulletin_20020617.txt


Except that bulletin is obsolete.  Read this one instead:

http://httpd.apache.org/info/security_bulletin_20020620.txt

It is exploitable on 32-bit platforms.  

- Bob

cheers,
loon

Andre Guimaraes wrote:

Hi all,

I have one webserver dedicated for a client communication running
apache 1.3.22-6 on linux red hat 7.3 and almost unused. Today the
machine had no memory or swap left (1 gig memory,512 meg swap).
Analyzing the error logs I found this:

Lots of in /var/log/messages:
Oct 12 20:31:24 web01 kernel: Out of Memory: Killed process 1023
(httpd). Oct 12 20:31:52 web01 kernel: Out of Memory: Killed
process 1016 (httpd). Oct 12 20:32:22 web01 kernel: Out of Memory:
Killed process 1020 (httpd). Oct 12 20:34:04 web01 kernel: Out of
Memory: Killed process 1026 (httpd). Oct 12 20:34:53 web01 kernel:
Out of Memory: Killed process 1025 (httpd). Oct 12 20:35:55 web01
kernel: Out of Memory: Killed process 1031 (httpd).

Lots of this in error log:
[Sat Oct 12 20:41:44 2002] [error] child process 1227 still did not
exit, sending a SIGKILL
[Sat Oct 12 20:41:44 2002] [error] child process 1228 still did not
exit, sending a SIGKILL
[Sat Oct 12 20:41:46 2002] [error] could not make child process 1072
exit, attempting to continue anyway
[Sat Oct 12 20:41:46 2002] [error] could not make child process 1080
exit, attempting to continue anyway

Few minutes before in error log:
[Sat Oct 12 20:16:19 2002] [error] [client 217.223.216.186] client
sent HTTP/1.1 request without hostname (see RFC2616 section 14.23):
/

[Sat Oct 12 20:21:09 2002] [error] [client 207.99.78.36] request
failed: erroneous characters after protocol string: CONNECT
maila.microsoft.com:25 / HTTP/1.0

This connect maila looks like someone trying to find some kind of
proxy. What about the empty hostname? I cant figure out why that
happened.

Thanks




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

apache problem Andre Guimaraes (Oct 14)
- Re: apache problem Ryan Sweat (Oct 15)
  - Re: apache problem zeno (Oct 15)
  - RE: apache problem Jonathan A. Zdziarski (Oct 15)
    - Re: apache problem Bob Johnson (Oct 16)
- Re: apache problem SZALAY Attila (Oct 15)
- Re: apache problem cory (Oct 15)
  - Re: apache problem Bob Johnson (Oct 16)
- Re: apache problem Hugo van der Kooij (Oct 15)
  - Re: apache problem Homer Wilson Smith (Oct 16)
    - Re: apache problem Hugo van der Kooij (Oct 16)
    - Re: apache problem Stephen Smoogen (Oct 17)
    - RE: apache problem Jonathan A. Zdziarski (Oct 18)
    - Re: apache problem Jason Giglio (Oct 18)
    - Re: apache problem Stephen Smoogen (Oct 18)
    - RE: apache problem Jonathan A. Zdziarski (Oct 18)