Security Incidents mailing list archives

Re: apache problem

From: Bob Johnson <stest032 () garbonzo hos ufl edu>
Date: Tue, 15 Oct 2002 23:09:04 -0400

On Tuesday 15 October 2002 01:05 pm, Jonathan A. Zdziarski appears to 
have written:

I would strace the httpd process(es) when this occurs to find out
what it's spinning on; perhaps your being unable to reproduce it has
something to do with the state of the connection (e.g. not closing
properly), so you might consider also a netstat when you see one of
these pop up in the logs.  I'm unable to reproduce this on my 1.3.26
installations but that's no surprise if it can't even be reproduced
it on the commandline.


My recollection is that what gets logged for Code Red is not 
exactly the packet that was received.  It gets part way through 
the decoding process before it is logged. 

- Bob

-----Original Message-----
From: Ryan Sweat [mailto:rsweat () attbi com]
Sent: Tuesday, October 15, 2002 12:24 AM
To: Andre Guimaraes
Cc: 'incidents () securityfocus com'
Subject: Re: apache problem

I have the exact same problem on RedHat 7.2 with apache-1.3.22-6.  It
appears to be CodeRed attempts causing a denial of service through
apache.

[Mon Oct 14 22:45:05 2002] [error] [client 140.121.175.22] Client
sent malformed Host header

140.121.175.22 - - [14/Oct/2002:22:45:05 -0500] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNN NNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNN NNNNNNNNNNNNNNNNNNNNNNNN
NN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u78 01%u9090%u9090%u8190%u00
c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 334 "-"
"-"

This causes the cpu to reach 100% and the httpd process consumes all
available memory until the kernel kills the process (often 1 hour
later).  I am unable to reproduce this behavior, even by manually
sending the exact string to apache.  Several other apache daemons
running on the same OS, though compiled and not installed from binary
rpm, are not affected.

Ryan

On Sat, 2002-10-12 at 16:05, Andre Guimaraes wrote:

Hi all,

I have one webserver dedicated for a client communication running
apache 1.3.22-6 on linux red hat 7.3 and almost unused. Today the
machine had no memory or swap left (1 gig memory,512 meg swap).
Analyzing the error logs I found this:

Lots of in /var/log/messages:
Oct 12 20:31:24 web01 kernel: Out of Memory: Killed process 1023
(httpd). Oct 12 20:31:52 web01 kernel: Out of Memory: Killed
process 1016 (httpd). Oct 12 20:32:22 web01 kernel: Out of Memory:
Killed process 1020 (httpd). Oct 12 20:34:04 web01 kernel: Out of
Memory: Killed process 1026 (httpd). Oct 12 20:34:53 web01 kernel:
Out of Memory: Killed process 1025 (httpd). Oct 12 20:35:55 web01
kernel: Out

of Memory: Killed process 1031 (httpd).

Lots of this in error log:
[Sat Oct 12 20:41:44 2002] [error] child process 1227 still did not
exit, sending a SIGKILL [Sat Oct 12 20:41:44 2002] [error] child
process 1228 still did not exit, sending a SIGKILL
[Sat Oct 12 20:41:46 2002] [error] could not make child process
1072


exit,

attempting to continue anyway
[Sat Oct 12 20:41:46 2002] [error] could not make child process
1080


exit,

attempting to continue anyway

Few minutes before in error log:
[Sat Oct 12 20:16:19 2002] [error] [client 217.223.216.186] client
sent HTTP/1.1 request without hostname (see RFC2616 section 14.23):
/

[Sat Oct 12 20:21:09 2002] [error] [client 207.99.78.36] request
failed: erroneous characters after protocol string: CONNECT
maila.microsoft.com:25 / HTTP/1.0

This connect maila looks like someone trying to find some kind of
proxy. What about the empty hostname? I cant figure out why that
happened.

Thanks



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

apache problem Andre Guimaraes (Oct 14)
- Re: apache problem Ryan Sweat (Oct 15)
  - Re: apache problem zeno (Oct 15)
  - RE: apache problem Jonathan A. Zdziarski (Oct 15)
    - Re: apache problem Bob Johnson (Oct 16)
- Re: apache problem SZALAY Attila (Oct 15)
- Re: apache problem cory (Oct 15)
  - Re: apache problem Bob Johnson (Oct 16)
- Re: apache problem Hugo van der Kooij (Oct 15)
  - Re: apache problem Homer Wilson Smith (Oct 16)
    - Re: apache problem Hugo van der Kooij (Oct 16)
    - Re: apache problem Stephen Smoogen (Oct 17)
    - RE: apache problem Jonathan A. Zdziarski (Oct 18)
    - Re: apache problem Jason Giglio (Oct 18)
    - Re: apache problem Stephen Smoogen (Oct 18)

(Thread continues...)