From owner-freebsd-security Sat Jun 22 18:33: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from marius.org (cdm-66-156-207-brcs.cox-internet.com [66.76.156.207]) by hub.freebsd.org (Postfix) with ESMTP id C48DE37B401; Sat, 22 Jun 2002 18:33:01 -0700 (PDT) Received: from marius.org (localhost [127.0.0.1]) by marius.org (8.12.3/8.12.3) with ESMTP id g5N1X0Nb045076; Sat, 22 Jun 2002 20:33:01 -0500 (CDT) (envelope-from marius@marius.org) Received: (from marius@localhost) by marius.org (8.12.3/8.12.3/Submit) id g5N1X0FZ045075; Sat, 22 Jun 2002 20:33:00 -0500 (CDT) Date: Sat, 22 Jun 2002 20:33:00 -0500 From: Marius Strom To: Anders Nordby Cc: jps@funeralexchange.com, kzaraska@student.uci.agh.edu.pl, freebsd-security@FreeBSD.ORG Subject: Re: Apache FreeBSD exploit released Message-ID: <20020623013300.GB35692@marius.org> Mail-Followup-To: Anders Nordby , jps@funeralexchange.com, kzaraska@student.uci.agh.edu.pl, freebsd-security@FreeBSD.ORG References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> <20020622225822.GA65796@totem.fix.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020622225822.GA65796@totem.fix.no> User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org fwiw, i've tested mod_blowchunks and it seems to work pretty well. ymmv. i wasn't able to exploit before installing it, so I have no guaranteed proof that it works (however, it doesn't seem to break anything we've got going either.) On Sun, 23 Jun 2002, Anders Nordby wrote: > Hello, > > On Sat, Jun 22, 2002 at 05:48:08PM -0500, jps@funeralexchange.com wrote: > > I have been trying to crack two of my FreeBSD boxes for the past 12 hours > > with not luck so far. > > # 1 Server > > apache+mod_ssl-1.3.23+2.8.7 > > 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002 > > > > # 2 Server > > apache+mod_ssl-1.3.17+2.8.0 > > 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002 > > I've been giving apache-nosejob.c a go too (on 4.5-RELEASE with Apache > 1.3.23, which is no its target list) for some hours, no success except > lots of httpds exiting on signal 11. > > > Segmentation fault (11) > > The only way to trace the attacker i have found so far is to do a netstat > > during the attack and you will see the requests coming in on the requested > > port (80 by default). > > Anyone know of any ports or tools i could use on my servers to watch out > > for something like this?. I have already upgraded all my production > > servers to the latest versions to protect them but i still would like to > > have something like this in place just to be on the safe side. > > I just committed ports/www/mod_blowchunks, which you can use to reject > and log chunked requests. > > Cheers, > > -- > Anders. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- /-------------------------------------------------> Marius Strom | Always carry a short length of fibre-optic cable. Professional Geek | If you get lost, then you can drop it on the System/Network Admin | ground, wait 10 minutes, and ask the backhoe http://www.marius.org/ | operator how to get back to civilization. \-------------| Alan Frame |----------------------> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message