possible apache flaw ?

["veins" <veins@skreel.org>]

I know this isn't the right mailing list, but as it is, in my opinion, pretty
important...

I have the latest version of apache running with the latest version of php, no
modules
that are not included in core. I took extreme caution while configuring both
and I am
pretty sure (after checking the logs) that this is not related to the way both
of them
are configured or even to some badly written scripts. The logs also show
clearly that
it was apache that was attacked and no other services.

Here's what happened. I loggued in a few minutes ago and started checking out
the
logs when I noticed that many apache processes received a sigsegv. I grepped
them
out and did a quick count, there were 132 for the last three days. I did a ps
and saw
that there was actually a shell running with 'www' privileges, as I thought it
could be
a cron job, I typed 'who' and saw that there was a user loggued in on that
account.
He was loggued in for about 10 minutes, I waited a few minutes to see if he
was
doing something or just idling and finally killed his shell. Now i'm running a
script
that will tell when 'www' has a shell running, but I am really wondering where
could
the problem be. I am running OpenBSD-3.0-stable, every patches applied and as
far
as I know, apache has been running for years without a remote flaw.

I don't know what the hell happened, but I thought I should warn you to at
least look
at your log files these days, who knows, maybe some private exploit is in the
wild.

veins
-- bofh at kheos.net && skreel.org - bofh, the choice of a degenerated
administration.
'Un jour, un canard qui se prénommait Harry dit à une cane: ris, cane ! Et la
cane a ri.'