[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[BAD] the whole server down with a red-alert-like attack

This morning my litlle server (potato, apache 1.3.9) was down. No
webservices, no ssh, nothing but ping :(

apache error.log

[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///scripts/root.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///MSADC/root.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///c/winnt/system32/cmd.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///d/winnt/system32/cmd.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///scripts/..%5c../winnt/system32/cmd.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist:
/var/www///msadc/..%5c../..%5c../..%5c/..\xc1^\../..\xc1^\../..\xc1^\../winn
t/system32/cmd.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///scripts/..\xc1^\../winnt/system32/cmd.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///scripts/..\xc0\xaf../winnt/system32/cmd.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///scripts/..\xc1\x9c../winnt/system32/cmd.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///scripts/..%5c../winnt/system32/cmd.exe
[Thu Jan 24 06:10:59 2002] [error] [client 212.37.199.145] File does not
exist: /var/www///scripts/..%2f../winnt/system32/cmd.exe

maybe 20 times the same sequence an then,

Ouch!  malloc failed in malloc_block()

began to appear in apache error.log more and more until,

/etc/syslog :

Jan 24 06:13:54 sfa01 kernel: VM: do_try_to_free_pages failed for kswapd...
Jan 24 06:14:41 sfa01 kernel: VM: do_try_to_free_pages failed for kswapd...
Jan 24 06:15:30 sfa01 kernel: VM: do_try_to_free_pages failed for kswapd...
Jan 24 06:15:58 sfa01 kernel: VM: do_try_to_free_pages failed for
cfserver...
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for
cfserver...
Jan 24 06:15:59 sfa01 last message repeated 8 times
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for init...
Jan 24 06:15:59 sfa01 last message repeated 8 times
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for cfexec...
Jan 24 06:15:59 sfa01 last message repeated 16 times
Jan 24 06:15:59 sfa01 kernel: VM: killing process cfexec
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for ntpd...
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for ntpd...
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for cfexec...
Jan 24 06:15:59 sfa01 last message repeated 12 times
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for mutt...
Jan 24 06:15:59 sfa01 last message repeated 3 times
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for
cfrdsservice...
Jan 24 06:15:59 sfa01 last message repeated 3 times
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for klogd...
Jan 24 06:15:59 sfa01 last message repeated 2 times
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for kswapd...
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for
cfserver...
Jan 24 06:15:59 sfa01 last message repeated 2 times
Jan 24 06:15:59 sfa01 kernel: VM: killing process cfserver
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for ntpd...
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for
apache-ssl...
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for ntpd...
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for apache...
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for
cfserver...
Jan 24 06:15:59 sfa01 last message repeated 13 times
Jan 24 06:15:59 sfa01 kernel: VM: killing process cfserver
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for proftpd...
Jan 24 06:15:59 sfa01 last message repeated 11 times
Jan 24 06:15:59 sfa01 kernel: VM: killing process proftpd
Jan 24 06:15:59 sfa01 kernel: VM: do_try_to_free_pages failed for ntpd...
Jan 24 06:25:01 sfa01 /USR/SBIN/CRON[12556]: (root) CMD (  test -e
/usr/sbin/anacron || run-parts --report /etc/cron.daily)

   and nothing but,

Jan 24 09:14:39 sfa01 syslogd 1.3-3#33: restart.


That's all folks

if you have comments...



Alexis
Reply to: