[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: possible apache flaw ?

To: Chehade Gilles <gilles.chehade@kheos.net>
Subject: Re: possible apache flaw ?
From: Ralph Forsythe <rforsythe@centerone.com>
Date: Mon, 11 Mar 2002 11:25:12 -0700 (MST)
Cc: <misc@openbsd.org>, <incidents@securityfocus.com>

Someone trying to do a buffer overflow or some similar attack on your
server perhaps?

It's obviously causing a DoS on your server and since you found an open
shell previously, it looks like you have been exploited as well.  Have
there been any more attempts to log in with that username?

Also, are your packet logs being scanned just for HTTP attempts, or for
things like telnet/SSH/ftp?  I don't know how busy your server is
access-wise, but it might be good to check for those events as well.

Also, can you tell what is being requested from the server specifically?
I.e., just the junk below or is there a specific page or (more important)
script being banged against repeatedly that looks out of the ordinary?  I
know you said you wrote your scripts yourself, but this is a good time to
sanity check all possible break points.

Also, with pakcet logging I assume you have traced the source by now.  Is
this a single IP hitting you or a DDoS of some kind?

This has prompted me to check my logs for problems -- I too am noticing
Apache dumping out quite often on one of my servers, though I don't have
any similar entries.  I do have a lot of requests for files I don't have
on there anymore, and even for stuff that has never been there to begin
with.  (I even saw requests for web sites not even on my box, coming to my
server ... someone screwed up their DNS on that one!)  And, bingo!  Out of
512mb of memory, the box has 16mb free and has started using swap space.
This is a Cobalt RaQ system (linux) running the latest Cobalt-issued
apache version.  I have PHP turned off for now while I figure out why I
can't get v4 to run.

I'm going to turn on logging here and see if I can't find a DoS attack
going on or something.  Seems like a new thing happening, whatever it is.

- Ralph

On Mon, 11 Mar 2002, Chehade Gilles wrote:

> Now it's becoming more clear that this is really someone, I wrote a script
> that
> would print out only uncommon lines of error_log and it printed out just
> right
> after a segfault:
>
> ^[[C^[[C^[[C^[[C^[[C^[[C^[[C^[[C^[[C^[[B^[[B^[[B^[[B^[[B^[[B/bin/id
> ^[[C^[[C^[[C^[[C^[[C^[[C^[[C^[[C^[[C^[[B^[[B^[[B^[[B^[[B^[[B/bin/ar
>
> I also noticed that the server starts becoming unusable (reaching memory's
> limits)
> about half an hour after I get the first segfault.
>
> veins
> -- bofh at kheos.net && skreel.org - bofh, the choice of a degenerated
> administration.
> 'Un jour, un canard qui se prénommait Harry dit à une cane: ris, cane ! Et
> la cane a ri.'

Follow-Ups:
- Re: possible apache flaw ?
  - From: "veins" <veins@skreel.org>

References:
- Re: possible apache flaw ?
  - From: "Chehade Gilles" <gilles.chehade@kheos.net>

Prev by Date: Re: possible apache flaw ?
Next by Date: Re: possible apache flaw ?
Prev by thread: Re: possible apache flaw ?
Next by thread: Re: possible apache flaw ?
Index(es):
- Date
- Thread