Re: Apache FreeBSD exploit released

From: Anders Nordby (anders@FreeBSD.org)
Date: 06/23/02 

Date: Sun, 23 Jun 2002 00:58:22 +0200
From: Anders Nordby <anders@FreeBSD.org>
To: jps@funeralexchange.com

Hello,

On Sat, Jun 22, 2002 at 05:48:08PM -0500, jps@funeralexchange.com wrote:
> I have been trying to crack two of my FreeBSD boxes for the past 12 hours
> with not luck so far.
> # 1 Server
> apache+mod_ssl-1.3.23+2.8.7
> 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002
>
> # 2 Server
> apache+mod_ssl-1.3.17+2.8.0
> 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002

I've been giving apache-nosejob.c a go too (on 4.5-RELEASE with Apache
1.3.23, which is no its target list) for some hours, no success except
lots of httpds exiting on signal 11.

> Segmentation fault (11)
> The only way to trace the attacker i have found so far is to do a netstat
> during the attack and you will see the requests coming in on the requested
> port (80 by default).
> Anyone know of any ports or tools i could use on my servers to watch out
> for something like this?. I have already upgraded all my production
> servers to the latest versions to protect them but i still would like to
> have something like this in place just to be on the safe side.

I just committed ports/www/mod_blowchunks, which you can use to reject
and log chunked requests.

Cheers, 

-- 
Anders.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Wierd 301 Moved Loop in OWA
    ... appears to be some sort of endless redirect loop. ... The server responds with a 301 ... a non standard port for regular HTTP and then the usual 443 port for ... redirects all requests to HTTPS. ...
    (microsoft.public.exchange.admin)
  • Re: Is it true that All communication between front-end and back-end servers goes through TCP port
    ... between front-end and back-end servers is on port 80. ... > Mail server administrator, MCSA/MCSE ... >>>> from any front-end server in your organization. ... Proxy requests are ...
    (microsoft.public.exchange2000.general)
  • RE: Port 113 requests?
    ... it's common practice to REJECT port 113 requests rather than DENY ... server to server. ... my mail server as it really doesn't do any good. ...
    (Incidents)
  • Re: Activesync / Airsync - Alternative Ports
    ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to 8888 ... the firewall would receive the requests on port ...
    (microsoft.public.pocketpc.activesync)
  • Re: Newbie: Network Sockets and Ports
    ... > I have a server that is listening to a single port. ... > will send requests to the server for several different services. ... > service 1 listens to port: ...
    (comp.lang.java.programmer)