RE: [d-security] woody apache/ssl - security issue?
Thanks you for the heads up!
Some quick research and I conclude we have not been infected for the
*) no compiler on the webserver
*) no /tmp files or processes [cinik unlock uubugtraq bugtraq]
*) tripwires not reporting altered binaries etc
*) no unusual network traffic on ports described [1978 2002 4156]
*) no outgoing web connections to untrusted sites reported by firewall
Do you concur? If we are not infected, is Debian still vulnerable to a
DOS from this worm? ie Why is Apache crashing? Thanks for the help,
> -----Original Message-----
> From: Tycho Fruru [mailto:email@example.com]
> Sent: 25 September 2002 14:18
> To: Christian Hammers
> Cc: Jeff Armstrong; firstname.lastname@example.org
> Subject: Re: [d-security] woody apache/ssl - security issue?
> On Wed, 2002-09-25 at 15:13, Christian Hammers wrote:
> > Hello
> > On Wed, Sep 25, 2002 at 02:03:43PM +0100, Jeff Armstrong wrote:
> > > Symptoms:
> > > Apache stops dishing pages - no log or error messages
> > > netstat shows Apache still listening
> > > /etc/init.d/apache stop fails to kill all apache processes
> > > have to killapp apache and kill -9 some individual
> apache processes
> > > no cores, no messages in syslog, daemon.log or messages
> > Can't remember the kill charactersitics but the other
> symptoms, failing
> > w/o giving any clue, are also happening if the filesystem
> is full and
> > apache cannot write new logfile entries. It starts to work
> again as soon
> > as it has free space again.
> > The logfile entries you've shown are absolutely harmless, I
> use exactly
> > the same strings for testing if a webserver responses.
> hmm. To me they don't seem harmless. Looks more like you've been
> visited by a slapper worm (which leaves the same trails in your
> Tycho Fruru email@example.com
> "Prediction is extremely difficult. Especially about the future."
> - Niels Bohr