Security Incidents mailing list archives
RE: apache problem
From: "Jonathan A. Zdziarski" <jonathan () networkdweebs com>
Date: Tue, 15 Oct 2002 13:05:58 -0400
I would strace the httpd process(es) when this occurs to find out what it's spinning on; perhaps your being unable to reproduce it has something to do with the state of the connection (e.g. not closing properly), so you might consider also a netstat when you see one of these pop up in the logs. I'm unable to reproduce this on my 1.3.26 installations but that's no surprise if it can't even be reproduced it on the commandline. -----Original Message----- From: Ryan Sweat [mailto:rsweat () attbi com] Sent: Tuesday, October 15, 2002 12:24 AM To: Andre Guimaraes Cc: 'incidents () securityfocus com' Subject: Re: apache problem I have the exact same problem on RedHat 7.2 with apache-1.3.22-6. It appears to be CodeRed attempts causing a denial of service through apache. [Mon Oct 14 22:45:05 2002] [error] [client 140.121.175.22] Client sent malformed Host header 140.121.175.22 - - [14/Oct/2002:22:45:05 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN NN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u78 01%u9090%u9090%u8190%u00 c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 334 "-" "-" This causes the cpu to reach 100% and the httpd process consumes all available memory until the kernel kills the process (often 1 hour later). I am unable to reproduce this behavior, even by manually sending the exact string to apache. Several other apache daemons running on the same OS, though compiled and not installed from binary rpm, are not affected. Ryan On Sat, 2002-10-12 at 16:05, Andre Guimaraes wrote:
Hi all, I have one webserver dedicated for a client communication running apache 1.3.22-6 on linux red hat 7.3 and almost unused. Today the machine had no memory or swap left (1 gig memory,512 meg swap). Analyzing the error logs I found this: Lots of in /var/log/messages: Oct 12 20:31:24 web01 kernel: Out of Memory: Killed process 1023 (httpd). Oct 12 20:31:52 web01 kernel: Out of Memory: Killed process 1016 (httpd). Oct 12 20:32:22 web01 kernel: Out of Memory: Killed process 1020 (httpd). Oct 12 20:34:04 web01 kernel: Out of Memory: Killed process 1026 (httpd). Oct 12 20:34:53 web01 kernel: Out of Memory: Killed process 1025 (httpd). Oct 12 20:35:55 web01 kernel: Out
of Memory: Killed process 1031 (httpd). Lots of this in error log: [Sat Oct 12 20:41:44 2002] [error] child process 1227 still did not exit, sending a SIGKILL [Sat Oct 12 20:41:44 2002] [error] child process 1228 still did not exit, sending a SIGKILL [Sat Oct 12 20:41:46 2002] [error] could not make child process 1072
exit,
attempting to continue anyway [Sat Oct 12 20:41:46 2002] [error] could not make child process 1080
exit,
attempting to continue anyway Few minutes before in error log: [Sat Oct 12 20:16:19 2002] [error] [client 217.223.216.186] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Sat Oct 12 20:21:09 2002] [error] [client 207.99.78.36] request failed: erroneous characters after protocol string: CONNECT maila.microsoft.com:25 / HTTP/1.0 This connect maila looks like someone trying to find some kind of proxy. What about the empty hostname? I cant figure out why that happened. Thanks ---------------------------------------------------------------------- ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- apache problem Andre Guimaraes (Oct 14)
- Re: apache problem Ryan Sweat (Oct 15)
- Re: apache problem zeno (Oct 15)
- RE: apache problem Jonathan A. Zdziarski (Oct 15)
- Re: apache problem Bob Johnson (Oct 16)
- Re: apache problem SZALAY Attila (Oct 15)
- Re: apache problem cory (Oct 15)
- Re: apache problem Bob Johnson (Oct 16)
- Re: apache problem Hugo van der Kooij (Oct 15)
- Re: apache problem Homer Wilson Smith (Oct 16)
- Re: apache problem Hugo van der Kooij (Oct 16)
- Re: apache problem Stephen Smoogen (Oct 17)
- RE: apache problem Jonathan A. Zdziarski (Oct 18)
- Re: apache problem Jason Giglio (Oct 18)
- Re: apache problem Homer Wilson Smith (Oct 16)
- Re: apache problem Ryan Sweat (Oct 15)