Date: Sun, 23 Jun 2002 16:33:51 -0400 From: Mike Tancsa <mike@sentex.net> To: Marius Strom <marius@marius.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache FreeBSD exploit released Message-ID: <5.1.0.14.0.20020623163303.071f8890@192.168.0.12> In-Reply-To: <20020623013300.GB35692@marius.org> References: <20020622225822.GA65796@totem.fix.no> <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> <20020622225822.GA65796@totem.fix.no>
next in thread | previous in thread | raw e-mail | index | archive | help
What does it looks like in the logs on a patched version of apache ?
---Mike
At 08:33 PM 6/22/2002 -0500, Marius Strom wrote:
>fwiw, i've tested mod_blowchunks and it seems to work pretty well.
>ymmv. i wasn't able to exploit before installing it, so I have no
>guaranteed proof that it works (however, it doesn't seem to break
>anything we've got going either.)
>
>On Sun, 23 Jun 2002, Anders Nordby wrote:
> > Hello,
> >
> > On Sat, Jun 22, 2002 at 05:48:08PM -0500, jps@funeralexchange.com wrote:
> > > I have been trying to crack two of my FreeBSD boxes for the past 12 hours
> > > with not luck so far.
> > > # 1 Server
> > > apache+mod_ssl-1.3.23+2.8.7
> > > 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002
> > >
> > > # 2 Server
> > > apache+mod_ssl-1.3.17+2.8.0
> > > 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002
> >
> > I've been giving apache-nosejob.c a go too (on 4.5-RELEASE with Apache
> > 1.3.23, which is no its target list) for some hours, no success except
> > lots of httpds exiting on signal 11.
> >
> > > Segmentation fault (11)
> > > The only way to trace the attacker i have found so far is to do a netstat
> > > during the attack and you will see the requests coming in on the
> requested
> > > port (80 by default).
> > > Anyone know of any ports or tools i could use on my servers to watch out
> > > for something like this?. I have already upgraded all my production
> > > servers to the latest versions to protect them but i still would like to
> > > have something like this in place just to be on the safe side.
> >
> > I just committed ports/www/mod_blowchunks, which you can use to reject
> > and log chunked requests.
> >
> > Cheers,
> >
> > --
> > Anders.
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
>--
> /------------------------------------------------->
>Marius Strom | Always carry a short length of fibre-optic cable.
>Professional Geek | If you get lost, then you can drop it on the
>System/Network Admin | ground, wait 10 minutes, and ask the backhoe
>http://www.marius.org/ | operator how to get back to civilization.
> \-------------| Alan Frame |---------------------->
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020623163303.071f8890>