Date: Sat, 22 Jun 2002 17:48:08 -0500 (CDT) From: <jps@funeralexchange.com> To: <kzaraska@student.uci.agh.edu.pl> Cc: <freebsd-security@freebsd.org> Subject: Re: Apache FreeBSD exploit released Message-ID: <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> In-Reply-To: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
I have been trying to crack two of my FreeBSD boxes for the past 12 hours with not luck so far. # 1 Server apache+mod_ssl-1.3.23+2.8.7 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002 # 2 Server apache+mod_ssl-1.3.17+2.8.0 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002 If you read through the source of the exploit you will see that its preconfigured to only attack certain versions at this time. I do however believe with enough tweaking and time that you would crack a box. I have tried it so far with no luck against the system posted above and a older install with no luck either. The #1 server i am still trying to crack and i will continue till it either fails or succeeds. A couple of things to note on how to spot the attack in action. First is that your messages logfile will be getting between 4-12 HTTPD SIG11 a errors second. Secondly your httpd-error.log will also have the similar information. messages.log Jun 22 17:00:01 cremator /kernel: pid 41578 (httpd), uid 80: exited on signal 11 httpd-error.log [Sat Jun 22 17:43:52 2002] [notice] child pid 50043 exit signal Segmentation fault (11) The only way to trace the attacker i have found so far is to do a netstat during the attack and you will see the requests coming in on the requested port (80 by default). Anyone know of any ports or tools i could use on my servers to watch out for something like this?. I have already upgraded all my production servers to the latest versions to protect them but i still would like to have something like this in place just to be on the safe side. Thanks Jeremy Suo-Anttila jps@funeralexchange.com iUndertake Inc./ ALLNEO Network Operations. > For those of you who do not read bugtraq, GOBBLES have posted a new > version of their apache exploit which is said to support also Net and > FreeBSD. > > -- > // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl > // Prelude IDS: http://www.prelude-ids.org/ > // A dream will always triumph over reality, once it is given the > chance. // -- Stanislaw Lem > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3177.66.171.47.179.1024786088.squirrel>