From owner-freebsd-security Mon Jul 1 2: 8: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3F4E37B400 for ; Mon, 1 Jul 2002 02:08:01 -0700 (PDT) Received: from grouper.daryl.org (64-51-175-231.client.dsl.net [64.51.175.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F3EC43E0A for ; Mon, 1 Jul 2002 02:07:52 -0700 (PDT) (envelope-from Elan@daryl.org) Received: from ten ([209.214.90.4]) by grouper.daryl.org with Microsoft SMTPSVC(5.0.2195.2966); Mon, 1 Jul 2002 05:06:10 -0400 From: "Elan Hasson" To: "Brett Glass" , , "Domas Mituzas" Cc: , , Subject: RE: Apache worm in the wild Date: Mon, 1 Jul 2002 05:06:33 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal In-Reply-To: <4.3.2.7.2.20020628112127.024d9410@localhost> X-OriginalArrivalTime: 01 Jul 2002 09:06:12.0065 (UTC) FILETIME=[8BD58510:01C220DE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dunno if anyone saw this: http://news.com.com/2100-1001-940585.html -----Original Message----- From: Brett Glass [mailto:brett@lariat.org] Sent: Friday, June 28, 2002 1:27 PM To: flynn@energyhq.homeip.net; Domas Mituzas Cc: freebsd-security@FreeBSD.ORG; bugtraq@securityfocus.com; os_bsd@konferencijos.lt Subject: Re: Apache worm in the wild At 05:38 AM 6/28/2002, flynn@energyhq.homeip.net wrote: >I wonder how many variants of this kind of thing we'll see, but I assume most people >running Apache have upgraded already. Upgrading Apache may prevent your system from being taken over, but it doesn't necessarily prevent it from being DoSed. One of my Apache servers, which had been upgraded to 2.0.39, went berserk on June 25th, spawning the maximum number of child processes and then locking up. The server did not appear to have been infiltrated, but the logs were filled with megabytes of messages indicating that the child processes were repeatedly trying to free chunks of memory that were already free. Probably the result of an attempted exploit going awry. (It could have been aimed at Linux, or at a different version of Apache; can't tell. But clearly it got somewhere, though not all the way.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message