[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

woody apache/ssl - security issue?

I have had a public woody webserver fail twice in the last three days.
I suspect some form of probing or DOS attack that freezes the Apache
server (recent SSL issues?)

Symptoms:
 Apache stops dishing pages - no log or error messages
 netstat shows Apache still listening
 /etc/init.d/apache stop fails to kill all apache processes
 have to killapp apache and kill -9 some individual apache processes
 no cores, no messages in syslog, daemon.log or messages

access log - last entry before apache freeze
 xxx.xxx.xxx.xxx - - [25/Sep/2002:08:56:00 +0100] "GET / HTTP/1.1" 400
377

error log - last entry before apache freeze
 [Wed Sep 25 08:56:00 2002] [error] [client xxx.xxx.xxx.xxx] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

netstat -leapn | grep apache
tcp        0      0 0.0.0.0:80              0.0.0.0:*            LISTEN
0          172124     15537/apache        
tcp        0      0 0.0.0.0:443             0.0.0.0:*            LISTEN
0          172123     15537/apache        
tcp        0      0 192.168.120.20:80       xx.xx.xx.xx:25774
ESTABLISHED 33         1048158    16738/apache        
tcp        0      0 192.168.120.20:80       xx.xx.xx.xx:25769
ESTABLISHED 33         1048154    15537/apache        
unix  2      [ ]         STREAM     CONNECTED     1048156 15537/apache

unix  2      [ ]         STREAM     CONNECTED     615035 16738/apache 

Linux 2.4.18 SMP i686 from Debian kernel source package
dpkg shows the following installed:
 apache               1.3.26-0woody1
 openssl              0.9.6c-2.woody.1 
 libssl0.9.6          0.9.6c-2.woody.1
 libapache-mod-ssl    2.8.9-2
 php4                 4.1.2-5
 php4-mysql           4.1.2-5

apt tells me that all this is up to date.

Any clues or suggestions appreciated.

TIA
Jeff
Reply to: