[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Slapper worm does more than infect

I've patched my servers, a long time ago.  I've noticed that slapper
worm (or whatver is causing the "HTTP/1.1 request without hostname" and
"GET_CLIENT_MASTER_KEY:key arg too long" lines in apache's error log)
causes another problem: 

While it's attempting to infect my servers, it seizes all the apache
processes, and apache waits for TCP_TIMEOUT minutes before hanging up
and accepting new connections.  That's 10 minutes of the server being

I've been using a script to watch for slapper attempts and restart the
webserver if it sees it (code below), but this is inefficient, costs
CPU, and unless I run this every minute I will get some downtime.  Is
there a more efficient way of getting slapper to not grab my webserver
connections?  I've considered recompiling apache to get rid of the
"Server:" HTTP response header line completely, but deploying a
recompiled binary (and recompiling every time) across a web-farm is a
drastic solution.  I was hoping for something less disruptive. 

Code for worm_watcher.sh (simplified; what I use is actually more
complex for multiple apache instances on the same machine) follows: 

/usr/sbin/logtail $LOG \
 |/bin/egrep '(client sent HTTP/1.1 request without hostname|SSL
routines:GET_CLIENT_MASTER_KEY:key arg too long)' \
if [-s $OUT]; then
  /bin/cat $OUT |/usr/bin/mail -s "slapper found" $MAILTO
  /bin/kill -HUP `/bin/cat $PID`
rm $OUT

Reply to: