From owner-freebsd-security Sat Jun 22 15:58:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from totem.fix.no (totem.fix.no [80.91.32.29]) by hub.freebsd.org (Postfix) with ESMTP id 68F6F37B400 for ; Sat, 22 Jun 2002 15:58:14 -0700 (PDT) Received: by totem.fix.no (Postfix, from userid 1000) id 67B24202E6; Sun, 23 Jun 2002 00:58:22 +0200 (CEST) Date: Sun, 23 Jun 2002 00:58:22 +0200 From: Anders Nordby To: jps@funeralexchange.com Cc: kzaraska@student.uci.agh.edu.pl, freebsd-security@freebsd.org Subject: Re: Apache FreeBSD exploit released Message-ID: <20020622225822.GA65796@totem.fix.no> References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> User-Agent: Mutt/1.3.99i X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, On Sat, Jun 22, 2002 at 05:48:08PM -0500, jps@funeralexchange.com wrote: > I have been trying to crack two of my FreeBSD boxes for the past 12 hours > with not luck so far. > # 1 Server > apache+mod_ssl-1.3.23+2.8.7 > 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002 > > # 2 Server > apache+mod_ssl-1.3.17+2.8.0 > 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002 I've been giving apache-nosejob.c a go too (on 4.5-RELEASE with Apache 1.3.23, which is no its target list) for some hours, no success except lots of httpds exiting on signal 11. > Segmentation fault (11) > The only way to trace the attacker i have found so far is to do a netstat > during the attack and you will see the requests coming in on the requested > port (80 by default). > Anyone know of any ports or tools i could use on my servers to watch out > for something like this?. I have already upgraded all my production > servers to the latest versions to protect them but i still would like to > have something like this in place just to be on the safe side. I just committed ports/www/mod_blowchunks, which you can use to reject and log chunked requests. Cheers, -- Anders. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message