From owner-freebsd-security Sun Jun 23 14:36: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from marius.org (cdm-66-156-207-brcs.cox-internet.com [66.76.156.207]) by hub.freebsd.org (Postfix) with ESMTP id B35C237B405 for ; Sun, 23 Jun 2002 14:36:02 -0700 (PDT) Received: from marius.org (localhost [127.0.0.1]) by marius.org (8.12.3/8.12.3) with ESMTP id g5NLa1rT006007; Sun, 23 Jun 2002 16:36:01 -0500 (CDT) (envelope-from marius@marius.org) Received: (from marius@localhost) by marius.org (8.12.3/8.12.3/Submit) id g5NLa1g3006006; Sun, 23 Jun 2002 16:36:01 -0500 (CDT) Date: Sun, 23 Jun 2002 16:36:01 -0500 From: Marius Strom To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache FreeBSD exploit released Message-ID: <20020623213601.GC3015@marius.org> Mail-Followup-To: Mike Tancsa , freebsd-security@FreeBSD.ORG References: <20020622225822.GA65796@totem.fix.no> <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> <20020622225822.GA65796@totem.fix.no> <5.1.0.14.0.20020623163303.071f8890@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20020623163303.071f8890@192.168.0.12> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Snippet from my logs: [Sat Jun 22 17:42:47 2002] [error] [client X.X.X.X] Transfer-Encoding: chunked - denied and logged On Sun, 23 Jun 2002, Mike Tancsa wrote: > > What does it looks like in the logs on a patched version of apache ? > > ---Mike > > At 08:33 PM 6/22/2002 -0500, Marius Strom wrote: > >fwiw, i've tested mod_blowchunks and it seems to work pretty well. > >ymmv. i wasn't able to exploit before installing it, so I have no > >guaranteed proof that it works (however, it doesn't seem to break > >anything we've got going either.) > > > >On Sun, 23 Jun 2002, Anders Nordby wrote: > >> Hello, > >> > >> On Sat, Jun 22, 2002 at 05:48:08PM -0500, jps@funeralexchange.com wrote: > >> > I have been trying to crack two of my FreeBSD boxes for the past 12 > >hours > >> > with not luck so far. > >> > # 1 Server > >> > apache+mod_ssl-1.3.23+2.8.7 > >> > 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002 > >> > > >> > # 2 Server > >> > apache+mod_ssl-1.3.17+2.8.0 > >> > 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002 > >> > >> I've been giving apache-nosejob.c a go too (on 4.5-RELEASE with Apache > >> 1.3.23, which is no its target list) for some hours, no success except > >> lots of httpds exiting on signal 11. > >> > >> > Segmentation fault (11) > >> > The only way to trace the attacker i have found so far is to do a > >netstat > >> > during the attack and you will see the requests coming in on the > >requested > >> > port (80 by default). > >> > Anyone know of any ports or tools i could use on my servers to watch > >out > >> > for something like this?. I have already upgraded all my production > >> > servers to the latest versions to protect them but i still would like > >to > >> > have something like this in place just to be on the safe side. > >> > >> I just committed ports/www/mod_blowchunks, which you can use to reject > >> and log chunked requests. > >> > >> Cheers, > >> > >> -- > >> Anders. > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-security" in the body of the message > > > >-- > > /-------------------------------------------------> > >Marius Strom | Always carry a short length of fibre-optic cable. > >Professional Geek | If you get lost, then you can drop it on the > >System/Network Admin | ground, wait 10 minutes, and ask the backhoe > >http://www.marius.org/ | operator how to get back to civilization. > > \-------------| Alan Frame |----------------------> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > -- /-------------------------------------------------> Marius Strom | Always carry a short length of fibre-optic cable. Professional Geek | If you get lost, then you can drop it on the System/Network Admin | ground, wait 10 minutes, and ask the backhoe http://www.marius.org/ | operator how to get back to civilization. \-------------| Alan Frame |----------------------> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message