Re: New worm segfaults apache

From: Chris Hardie (chris@summersault.com)
Date: 09/19/01 

Date: Tue, 18 Sep 2001 18:14:26 -0500 (EST)
From: Chris Hardie <chris@summersault.com>
To: Chip McClure <vhm3@hades.dnsalias.net>
Subject: Re: New worm segfaults apache
Message-ID: <Pine.BSF.4.40.0109181811000.79903-100000@nollie.summersault.com>

We're presently experiencing the same behavior on FreeBSD 4.3 with Apache
1.3.20 mod_ssl/2.8.4 OpenSSL/0.9.6b. It seems to be load related: we have
several other boxes on the network with the same config/versions, but that
are much lower load and aren't experiencing the segfaults. For reference,
the one that IS having problems is serving 3.29 requests/sec - 17.0
kB/second - 5.2 kB/request. The normal load is about 1.7 requests/sec.

Any ideas on what's causing this, or a good way to track/truss the child
process to see what it's doing when it dies?

Chris

On Tue, 18 Sep 2001, Chip McClure wrote:

> Which version of apache, and what OS are you running?
>
> Running Apache 2.0.16, FreeBSD 4.3 - never had a segfault - and a ton of
> probes against it.
>
> ----
> Chip McClure
> Sr Unix Administrator
> GigGuardian, Inc.
>
> http://www.gigguardian.com/
> ----
>
> On Tue, 18 Sep 2001, bugtraq wrote:
>
> > Hello,
> >
> >
> > Over 15 times my apache has segfaulted whenever I get scanned by this worm.
> >
> > Sep 18 13:30:15 cgisecurity /kernel: pid 35290 (httpd), uid 1003: exited on signal 11
> > Sep 18 13:38:03 cgisecurity /kernel: pid 35390 (httpd), uid 1003: exited on signal 11
> > Sep 18 14:06:00 cgisecurity /kernel: pid 35391 (httpd), uid 1003: exited on signal 11
> > Sep 18 14:20:51 cgisecurity /kernel: pid 35453 (httpd), uid 1003: exited on signal 11
> > Sep 18 15:27:22 cgisecurity /kernel: pid 35740 (httpd), uid 1003: exited on signal 11
> > ^C
> >
> > Any idea why apache is segfaulting? I have 250 megs of free ram without proccess limits and
> > it segfaults. Also I tried every string and have been unable to replicate it manually.
> >
> > - admin@cgisecurity.com
> >

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

  Chris Hardie - Principal
  Summersault, LLC - website development
  ph: 765-939-9301 x221 fax: 765-935-6798
  914 E. Main St., Richmond, IN 47374
  mailto:chris@summersault.com
  http://www.summersault.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: New worm segfaults apache
    ... > We're presently experiencing the same behavior on FreeBSD 4.3 with Apache ... > are much lower load and aren't experiencing the segfaults. ...
    (Incidents)
  • Re: apache-mpm-prefork debian perfomance tuning
    ... Will it server well about 1,000 users simultaneously? ... apache and keep an eye out for pages taking longer than 0 seconds. ... generator like 'httperf', ... magnify and contribute to heavy load on the system when it gets busy. ...
    (Debian-User)
  • Re: thread priority
    ... I will see the load on the Apache is growing up. ... bypass apache and go straight to the database. ... the web-app to the test server. ...
    (comp.lang.perl.misc)
  • Re: New worm segfaults apache
    ... Subject: New worm segfaults apache ... :> For more information on this free incident handling, ...
    (Incidents)
  • Re: about httpd.conf and ssl.conf
    ... You might want your non-secure virtual hosts defined in the ... Then, in the ssl.conf, AFTER THE MODULE LOAD - apache processes this ... Once that's done, and the interfaces are enabled, *now* restart apache, ... Mail has the best spam protection around ...
    (RedHat)
Quantcast