From owner-freebsd-security Sat Jun 22 15:47:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns3.ideathcare.com (mail.allneo.com [216.185.96.68]) by hub.freebsd.org (Postfix) with SMTP id 1E94837B405 for ; Sat, 22 Jun 2002 15:47:26 -0700 (PDT) Received: (qmail 51653 invoked by uid 85); 22 Jun 2002 22:51:42 -0000 Received: from jps@funeralexchange.com by ns3.ideathcare.com with qmail-scanner-1.03 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.228931 secs); 22 Jun 2002 22:51:42 -0000 Received: from unknown (HELO funeralexchange.com) (216.185.99.194) by mail.allneo.com with SMTP; 22 Jun 2002 22:51:42 -0000 Received: from 66.171.47.179 (SquirrelMail authenticated user jps@funeralexchange.com) by webmail.allneo.com with HTTP; Sat, 22 Jun 2002 17:48:08 -0500 (CDT) Message-ID: <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> Date: Sat, 22 Jun 2002 17:48:08 -0500 (CDT) Subject: Re: Apache FreeBSD exploit released From: To: In-Reply-To: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have been trying to crack two of my FreeBSD boxes for the past 12 hours with not luck so far. # 1 Server apache+mod_ssl-1.3.23+2.8.7 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002 # 2 Server apache+mod_ssl-1.3.17+2.8.0 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002 If you read through the source of the exploit you will see that its preconfigured to only attack certain versions at this time. I do however believe with enough tweaking and time that you would crack a box. I have tried it so far with no luck against the system posted above and a older install with no luck either. The #1 server i am still trying to crack and i will continue till it either fails or succeeds. A couple of things to note on how to spot the attack in action. First is that your messages logfile will be getting between 4-12 HTTPD SIG11 a errors second. Secondly your httpd-error.log will also have the similar information. messages.log Jun 22 17:00:01 cremator /kernel: pid 41578 (httpd), uid 80: exited on signal 11 httpd-error.log [Sat Jun 22 17:43:52 2002] [notice] child pid 50043 exit signal Segmentation fault (11) The only way to trace the attacker i have found so far is to do a netstat during the attack and you will see the requests coming in on the requested port (80 by default). Anyone know of any ports or tools i could use on my servers to watch out for something like this?. I have already upgraded all my production servers to the latest versions to protect them but i still would like to have something like this in place just to be on the safe side. Thanks Jeremy Suo-Anttila jps@funeralexchange.com iUndertake Inc./ ALLNEO Network Operations. > For those of you who do not read bugtraq, GOBBLES have posted a new > version of their apache exploit which is said to support also Net and > FreeBSD. > > -- > // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl > // Prelude IDS: http://www.prelude-ids.org/ > // A dream will always triumph over reality, once it is given the > chance. // -- Stanislaw Lem > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message