Re: Apache FreeBSD exploit released

From: jps@funeralexchange.com
Date: 06/23/02 

Date: Sat, 22 Jun 2002 17:48:08 -0500 (CDT)
From: <jps@funeralexchange.com>
To: <kzaraska@student.uci.agh.edu.pl>

I have been trying to crack two of my FreeBSD boxes for the past 12 hours
with not luck so far.
# 1 Server
apache+mod_ssl-1.3.23+2.8.7
4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002

# 2 Server
apache+mod_ssl-1.3.17+2.8.0
4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002

If you read through the source of the exploit you will see that its
preconfigured to only attack certain versions at this time. I do however
believe with enough tweaking and time that you would crack a box. I have
tried it so far with no luck against the system posted above and a older
install with no luck either. The #1 server i am still trying to crack and
i will continue till it either fails or succeeds.
A couple of things to note on how to spot the attack in action. First is
that your messages logfile will be getting between 4-12 HTTPD SIG11 a
errors second. Secondly your httpd-error.log will also have the similar
information.
messages.log
Jun 22 17:00:01 cremator /kernel: pid 41578 (httpd), uid 80: exited on
signal 11
httpd-error.log
[Sat Jun 22 17:43:52 2002] [notice] child pid 50043 exit signal
Segmentation fault (11)
The only way to trace the attacker i have found so far is to do a netstat
during the attack and you will see the requests coming in on the requested
port (80 by default).
Anyone know of any ports or tools i could use on my servers to watch out
for something like this?. I have already upgraded all my production
servers to the latest versions to protect them but i still would like to
have something like this in place just to be on the safe side.
Thanks

Jeremy Suo-Anttila
jps@funeralexchange.com
iUndertake Inc./ ALLNEO Network Operations.

> For those of you who do not read bugtraq, GOBBLES have posted a new
> version of their apache exploit which is said to support also Net and
> FreeBSD.
>
> --
> // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
> // Prelude IDS: http://www.prelude-ids.org/
> // A dream will always triumph over reality, once it is given the
> chance. // -- Stanislaw Lem
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • RE: freebsd-questions Digest, Vol 52, Issue 3
    ... To subscribe or unsubscribe via the World Wide Web, ... bypassing a proxy server ... > As some of you may recall, I'm engaged in an ongoing saga trying to set> up a FreeBSD machine on a school's network. ...
    (freebsd-questions)
  • Re: Question
    ... >I am a network manager for a small government. ... >proprietary to something like FreeBSD or linux? ... Are server needs are currently simple and we only have one NT4 server ...
    (freebsd-newbies)
  • RE: FreeBSD Security Survey
    ... Your also ignoring the fact that many security holes are a lot ... queries to this server to the NAS only. ... server with a new version of FreeBSD. ... Your survey responses lack any responses that indicate that leaving ...
    (freebsd-questions)
  • Re: freebsd reseller
    ... 2000 for workstations and 2000 Server for servers. ... FreeBSD and OpenBSD. ... When I try to install dvips I get the following ... >> I'm not at all familiar with firewire stuff. ...
    (freebsd-questions)
  • Re: When Unix Stops Being Fun
    ... I started with FreeBSD in the Fall of 2000, when I started at Lumeta. ... loved it so much that when I built my personal server, ... of Windows, there were new idiosyncracies and more bullshit to cram into ...
    (freebsd-questions)