From owner-freebsd-security Sun Jun 23 13:35:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from vinyl2.sentex.ca (vinyl2.sentex.ca [199.212.134.13]) by hub.freebsd.org (Postfix) with ESMTP id F172C37B400 for ; Sun, 23 Jun 2002 13:35:37 -0700 (PDT) Received: from house.sentex.net (cage.simianscience.com [64.7.134.1]) (authenticated bits=0) by vinyl2.sentex.ca (8.12.3/8.12.2) with ESMTP id g5NKZYdc003880; Sun, 23 Jun 2002 16:35:35 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020623163303.071f8890@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 23 Jun 2002 16:33:51 -0400 To: Marius Strom From: Mike Tancsa Subject: Re: Apache FreeBSD exploit released Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020623013300.GB35692@marius.org> References: <20020622225822.GA65796@totem.fix.no> <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> <20020622225822.GA65796@totem.fix.no> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What does it looks like in the logs on a patched version of apache ? ---Mike At 08:33 PM 6/22/2002 -0500, Marius Strom wrote: >fwiw, i've tested mod_blowchunks and it seems to work pretty well. >ymmv. i wasn't able to exploit before installing it, so I have no >guaranteed proof that it works (however, it doesn't seem to break >anything we've got going either.) > >On Sun, 23 Jun 2002, Anders Nordby wrote: > > Hello, > > > > On Sat, Jun 22, 2002 at 05:48:08PM -0500, jps@funeralexchange.com wrote: > > > I have been trying to crack two of my FreeBSD boxes for the past 12 hours > > > with not luck so far. > > > # 1 Server > > > apache+mod_ssl-1.3.23+2.8.7 > > > 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002 > > > > > > # 2 Server > > > apache+mod_ssl-1.3.17+2.8.0 > > > 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002 > > > > I've been giving apache-nosejob.c a go too (on 4.5-RELEASE with Apache > > 1.3.23, which is no its target list) for some hours, no success except > > lots of httpds exiting on signal 11. > > > > > Segmentation fault (11) > > > The only way to trace the attacker i have found so far is to do a netstat > > > during the attack and you will see the requests coming in on the > requested > > > port (80 by default). > > > Anyone know of any ports or tools i could use on my servers to watch out > > > for something like this?. I have already upgraded all my production > > > servers to the latest versions to protect them but i still would like to > > > have something like this in place just to be on the safe side. > > > > I just committed ports/www/mod_blowchunks, which you can use to reject > > and log chunked requests. > > > > Cheers, > > > > -- > > Anders. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >-- > /-------------------------------------------------> >Marius Strom | Always carry a short length of fibre-optic cable. >Professional Geek | If you get lost, then you can drop it on the >System/Network Admin | ground, wait 10 minutes, and ask the backhoe >http://www.marius.org/ | operator how to get back to civilization. > \-------------| Alan Frame |----------------------> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message