Bug#312390: marked as done (apache-ssl: apache-ssl uses 100% cpu after bogus http request)
Your message dated Wed, 8 Jun 2005 11:36:41 +1000 (EST)
with message-id <21999.203.49.196.168.1118194601.squirrel@mail.0c3.net>
and subject line Bug#312390: apache-ssl: apache-ssl uses 100% cpu after bogus http request
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Jun 2005 21:51:10 +0000
>From matt@ginzton.net Tue Jun 07 14:51:10 2005
Return-path: <matt@ginzton.net>
Received: from skynet.ginzton.net (mail.ginzton.net) [69.36.243.55]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DflyY-0003n8-00; Tue, 07 Jun 2005 14:51:10 -0700
Received: from localhost (localhost [127.0.0.1])
(uid 1000)
by mail.ginzton.net with local; Tue, 07 Jun 2005 14:51:09 -0700
From: Matt Ginzton <matt@ginzton.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache-ssl: apache-ssl uses 100% cpu after bogus http request
X-Mailer: reportbug 1.50
Date: Tue, 07 Jun 2005 14:51:09 -0700
Message-ID: <[🔎] courier.42A616CD.00005E48@mail.ginzton.net>
X-BadReturnPath: magi@localhost rewritten as matt@ginzton.net
using "From" header
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: apache-ssl
Version: 1.3.26.1+1.48-0woody3
Severity: grave
Tags: security
Justification: user security hole
I'm using debian woody, with the apache-ssl server, and several times over
the past two months I've seen the server start using 100% cpu (per process;
sometimes just one apache-ssl process is affected; sometimes as many as
12!). I'm filing this with a rather aggressive priority since it appears
to be a remotely accessible DoS exploit, though no user data seems to be
compromised.
When this happens, I've looked at apache's access.log, and each time I've
found requests that look like
213.148.18.198 - - [07/Jun/2005:01:20:55 -0700] "GET / HTTP/1.1" 200 7090 "http://www.qptv.ru" "MSIE 6.0"
213.148.18.198 - - [07/Jun/2005:01:20:55 -0700] "\t\x15\x10" 400 - "-" "-"
repeated over and over, near the time I estimate the server started
sucking up 100% cpu. Always from that exact IP address
(213.148.18.198, for which I can find no information), and always, a
pair of requests, "GET /" followed by "\t\x15\x10".
I'd think this has been reported before, but google turns up no hits for
the offending IP address.
When this happens, I've tried strace'ing the apache-ssl process, and all it
does is set timers and then wake up with SIGITIMER repeatedly.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux skynet 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages apache-ssl depends on:
ii apache-common 1.3.26-0woody6 Support files for all Apache webse
ii dpkg 1.9.21 Package maintenance system for Deb
ii libc6 2.2.5-11.8 GNU C Library: Shared libraries an
ii libdb2 2:2.7.7.0-7 The Berkeley database routines (ru
ii libexpat1 1.95.2-6 XML parsing C library - runtime li
ii libssl0.9.6 0.9.6c-2.woody.7 SSL shared libraries
ii logrotate 3.5.9-8 Log rotation utility
ii mime-support 3.18-1.3 MIME files 'mime.types' & 'mailcap
ii openssl 0.9.6c-2.woody.7 Secure Socket Layer (SSL) binary a
ii perl 5.6.1-8.9 Larry Wall's Practical Extraction
ii perl [perl5] 5.6.1-8.9 Larry Wall's Practical Extraction
---------------------------------------
Received: (at 312390-done) by bugs.debian.org; 8 Jun 2005 01:37:12 +0000
>From adconrad@0c3.net Tue Jun 07 18:37:12 2005
Return-path: <adconrad@0c3.net>
Received: from loki.0c3.net [69.0.240.48]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DfpVI-0005bZ-00; Tue, 07 Jun 2005 18:37:12 -0700
Received: from localhost
([127.0.0.1] helo=mail.0c3.net ident=www-data)
by loki.0c3.net with esmtp (Exim 4.34)
id 1DfpUn-0000Yv-9s
for 312390-done@bugs.debian.org; Tue, 07 Jun 2005 19:36:41 -0600
Received: from 203.49.196.168
(SquirrelMail authenticated user adconrad)
by mail.0c3.net with HTTP;
Wed, 8 Jun 2005 11:36:41 +1000 (EST)
Message-ID: <21999.203.49.196.168.1118194601.squirrel@mail.0c3.net>
In-Reply-To: <[🔎] courier.42A616CD.00005E48@mail.ginzton.net>
References: <[🔎] courier.42A616CD.00005E48@mail.ginzton.net>
Date: Wed, 8 Jun 2005 11:36:41 +1000 (EST)
Subject: Re: Bug#312390: apache-ssl: apache-ssl uses 100% cpu after bogus
http request
From: "Adam Conrad" <adconrad@0c3.net>
To: 312390-done@bugs.debian.org
Reply-To: adconrad@0c3.net
User-Agent: SquirrelMail/1.5.1 [CVS]
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: adconrad@0c3.net
X-SA-Exim-Scanned: No (on loki.0c3.net); SAEximRunCond expanded to false
Delivered-To: 312390-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_01,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Matt Ginzton wrote:
>
> I'm filing this with a rather aggressive priority since it
> appears to be a remotely accessible DoS exploit, though no user data seems
> to be compromised.
A DoS != an exploit, in most people's minds, just a serious annoyance.
While annoyances like this may be fixed in the course of stable updates,
they will generally never get fixed in an "oldstable" release.
Since Sarge was released as stable a couple of days ago and Woody has
moved to "oldstable" status, one would only expect real security exploits
(remote execution, privelege escalation, etc) to be fixed in woody
packages from here on in.
I'd recommend upgrading to Sarge at your earliest convenience. Many
improvements have been made there, including a (generally) much more
stable set of both apache1.3 and apache2 (which I recommend upgrading to
if you can) packages.
... Adam
Reply to: