woody apache/ssl - security issue?
I have had a public woody webserver fail twice in the last three days.
I suspect some form of probing or DOS attack that freezes the Apache
server (recent SSL issues?)
Symptoms:
Apache stops dishing pages - no log or error messages
netstat shows Apache still listening
/etc/init.d/apache stop fails to kill all apache processes
have to killapp apache and kill -9 some individual apache processes
no cores, no messages in syslog, daemon.log or messages
access log - last entry before apache freeze
xxx.xxx.xxx.xxx - - [25/Sep/2002:08:56:00 +0100] "GET / HTTP/1.1" 400
377
error log - last entry before apache freeze
[Wed Sep 25 08:56:00 2002] [error] [client xxx.xxx.xxx.xxx] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
netstat -leapn | grep apache
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
0 172124 15537/apache
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
0 172123 15537/apache
tcp 0 0 192.168.120.20:80 xx.xx.xx.xx:25774
ESTABLISHED 33 1048158 16738/apache
tcp 0 0 192.168.120.20:80 xx.xx.xx.xx:25769
ESTABLISHED 33 1048154 15537/apache
unix 2 [ ] STREAM CONNECTED 1048156 15537/apache
unix 2 [ ] STREAM CONNECTED 615035 16738/apache
Linux 2.4.18 SMP i686 from Debian kernel source package
dpkg shows the following installed:
apache 1.3.26-0woody1
openssl 0.9.6c-2.woody.1
libssl0.9.6 0.9.6c-2.woody.1
libapache-mod-ssl 2.8.9-2
php4 4.1.2-5
php4-mysql 4.1.2-5
apt tells me that all this is up to date.
Any clues or suggestions appreciated.
TIA
Jeff
Reply to: