From owner-freebsd-security Fri Jun 28 20:34:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F69537B400 for ; Fri, 28 Jun 2002 20:34:32 -0700 (PDT) Received: from neptun.twoj.pl (neptun.goo.pl [80.48.39.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BCE643E06 for ; Fri, 28 Jun 2002 20:34:31 -0700 (PDT) (envelope-from bugtraq-return-5412-cinek=goo.pl@securityfocus.com) Received: by neptun.twoj.pl (Postfix, from userid 107) id E0EC73AC09; Sat, 29 Jun 2002 05:34:23 +0200 (CEST) Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by neptun.twoj.pl (Postfix) with ESMTP id 586D73ABFB for ; Sat, 29 Jun 2002 05:34:23 +0200 (CEST) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id D0E6BA3548; Fri, 28 Jun 2002 21:03:36 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 19451 invoked from network); 28 Jun 2002 17:30:03 -0000 X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020628112127.024d9410@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 28 Jun 2002 11:27:13 -0600 To: flynn@energyhq.homeip.net, Domas Mituzas From: Brett Glass Subject: Re: Apache worm in the wild Cc: freebsd-security@FreeBSD.ORG, bugtraq@securityfocus.com, os_bsd@konferencijos.lt In-Reply-To: <20020628113834.GA10062@energyhq.homeip.net> References: <20020628125817.O68824-100000@axis.tdd.lt> <20020628125817.O68824-100000@axis.tdd.lt> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:38 AM 6/28/2002, flynn@energyhq.homeip.net wrote: >I wonder how many variants of this kind of thing we'll see, but I assume most people >running Apache have upgraded already. Upgrading Apache may prevent your system from being taken over, but it doesn't necessarily prevent it from being DoSed. One of my Apache servers, which had been upgraded to 2.0.39, went berserk on June 25th, spawning the maximum number of child processes and then locking up. The server did not appear to have been infiltrated, but the logs were filled with megabytes of messages indicating that the child processes were repeatedly trying to free chunks of memory that were already free. Probably the result of an attempted exploit going awry. (It could have been aimed at Linux, or at a different version of Apache; can't tell. But clearly it got somewhere, though not all the way.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message