Date: Sat, 22 Jun 2002 20:33:00 -0500 From: Marius Strom <marius@marius.org> To: Anders Nordby <anders@FreeBSD.ORG> Cc: jps@funeralexchange.com, kzaraska@student.uci.agh.edu.pl, freebsd-security@FreeBSD.ORG Subject: Re: Apache FreeBSD exploit released Message-ID: <20020623013300.GB35692@marius.org> In-Reply-To: <20020622225822.GA65796@totem.fix.no> References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> <20020622225822.GA65796@totem.fix.no>
next in thread | previous in thread | raw e-mail | index | archive | help
fwiw, i've tested mod_blowchunks and it seems to work pretty well.
ymmv. i wasn't able to exploit before installing it, so I have no
guaranteed proof that it works (however, it doesn't seem to break
anything we've got going either.)
On Sun, 23 Jun 2002, Anders Nordby wrote:
> Hello,
>
> On Sat, Jun 22, 2002 at 05:48:08PM -0500, jps@funeralexchange.com wrote:
> > I have been trying to crack two of my FreeBSD boxes for the past 12 hours
> > with not luck so far.
> > # 1 Server
> > apache+mod_ssl-1.3.23+2.8.7
> > 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002
> >
> > # 2 Server
> > apache+mod_ssl-1.3.17+2.8.0
> > 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002
>
> I've been giving apache-nosejob.c a go too (on 4.5-RELEASE with Apache
> 1.3.23, which is no its target list) for some hours, no success except
> lots of httpds exiting on signal 11.
>
> > Segmentation fault (11)
> > The only way to trace the attacker i have found so far is to do a netstat
> > during the attack and you will see the requests coming in on the requested
> > port (80 by default).
> > Anyone know of any ports or tools i could use on my servers to watch out
> > for something like this?. I have already upgraded all my production
> > servers to the latest versions to protect them but i still would like to
> > have something like this in place just to be on the safe side.
>
> I just committed ports/www/mod_blowchunks, which you can use to reject
> and log chunked requests.
>
> Cheers,
>
> --
> Anders.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
/------------------------------------------------->
Marius Strom | Always carry a short length of fibre-optic cable.
Professional Geek | If you get lost, then you can drop it on the
System/Network Admin | ground, wait 10 minutes, and ask the backhoe
http://www.marius.org/ | operator how to get back to civilization.
\-------------| Alan Frame |---------------------->
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020623013300.GB35692>