Security Incidents mailing list archives

Re: Apache goes berserk

From: Tobias Rosenstock <jeedi () Crew-KG DE>
Date: Thu, 27 Jun 2002 23:09:25 +0200 (CEST)

Hi,

On Wed, 26 Jun 2002, Brett Glass wrote:

This evening, I returned from dinner to find that my Apache 2.0.39 Web
server, running on FreeBSD, was completely unresponsive. A "ps" command
revealed that the server had spawned dozens of child processes. And the
error log had filled up with messages that looked like this:

[Wed Jun 26 21:28:36 2002] [warn] child process 164 still did not exit,
sending a SIGTERM

[...]

...and many more similar messages. These were followed by a continuous
stream of messages like the following:

httpd in free(): warning: page is already free

[...]

It doesn't LOOK as if anyone broke in, but the fact that the Web server
was tied up in knots until I shut it down and restarted it is disturbing.
Anyone else seeing such activity?


looks like your box is under fire from someone who tries to break in
through the well-published apache chunked request vulnerability, probably
even using apache-scalp.c, which was published on bugtraq last week.

i noticed similar behavior of my apache 1.3.24 before updating to 1.3.26
when scanning it in "brute-force" mode with the binary compiled from
apache-scalp.c, apache 1.3.26, however, seems to ignore that kind of
error, or at least not log it. while scanning this version, all i could
see in the access log was "regular" loglines for a "GET / HTTP/1.1" and a
casual http-error 200 (Bad Request) in the error log.

also, i'm not experiencing any performance problems, even when "scalping"
the server from a box that's connected to it via a 100mbit switch. maybe
this is an apache-2.x-only problem.

tobias.
-- 
 NOC Hamster       - Security Guy      - Owner of one, root of many
 Tobias Rosenstock - jeedi () crew-kg de  - jeedi () ccc de  - mail () jeedi de
 Wieske's Crew KG  - http://irz42.net  - http://www.crew-kg.de
 Humboldtstr. 51   - Lessingstr.       - 22083 Hamburg - Germany


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Apache goes berserk Brett Glass (Jun 27)
- Re: Apache goes berserk Tobias Rosenstock (Jun 27)
- Message not available
  - Re: Apache goes berserk Brett Glass (Jun 28)