You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Aaron <aw...@idl.net.au> on 2003/01/14 13:13:46 UTC
[users@httpd] Parent: Receiving shutdown signal from outside?
"Hello" from Australia,
I'm new to Apache. I have version 2.0.43 on Windows XP Pro.
I have installed all Microsoft Windows XP security patches prior to SP1. I
have been reluctant to install SP1 due to warnings I've heard about it
causing problems.
I have used GRC's XPdite, from http://grc.com/xpdite/xpdite.htm
In the Error Log, I find a number of entries like the following examples:
[Sun Jan 12 07:38:58 2003] [warn] pid file C:/Program Files/Apache
Group/Apache2/logs/httpd.pid overwritten -- Unclean shutdown of previous
Apache run?
[Sun Jan 12 07:38:59 2003] [notice] Parent: Created child process 1456
[Sun Jan 12 07:39:00 2003] [notice] Child 1456: Child process is running
[Sun Jan 12 07:39:00 2003] [notice] Child 1456: Acquired the start mutex.
[Sun Jan 12 07:39:01 2003] [notice] Child 1456: Starting 250 worker threads.
[Sun Jan 12 10:43:25 2003] [notice] Parent: Received shutdown signal --
Shutting down the server.
[Sun Jan 12 10:43:25 2003] [notice] Child 1456: Exit event signaled. Child
process is ending.
[Sun Jan 12 10:43:26 2003] [notice] Child 1456: Released the start mutex
[Sun Jan 12 10:43:27 2003] [notice] Child 1456: Waiting for 250 worker
threads to exit.
[Sun Jan 12 10:43:27 2003] [notice] Child 1456: All worker threads have
exited.
[Sun Jan 12 10:43:27 2003] [notice] Child 1456: Child process is exiting
[Sun Jan 12 10:43:28 2003] [notice] Parent: Child process exited
successfully.
[Sun Jan 12 22:02:52 2003] [error] [client 195.166.232.11] Client sent
malformed Host header
[Mon Jan 13 00:33:14 2003] [error] [client 199.243.77.42] Client sent
malformed Host header
[Mon Jan 13 09:42:26 2003] [warn] pid file C:/Program Files/Apache
Group/Apache2/logs/httpd.pid overwritten -- Unclean shutdown of previous
Apache run?
There are more entries in the Error Log like the above examples. I assume
this is not good. It appears to me (inexperienced) that someone is
controlling my server from the outside. I read about Stopping & Restarting
at the Apache.org website, but it did not seem to mention whether this was
something that could be done from outside.
Assuming this is a vulnerability, is it addressed in WinXP SP1? ....or can
I leave that out and alter some setting in the configuration file to stop
this access? I seem to remember reading something about a parent/child
vulnerability with Apache on WinXP, but I can't find it now.
I don't know if this helps, but this is how I have the DocumentRoot set
(I've stripped out the commenting here):
UseCanonicalName Off
DocumentRoot "C:/Program Files/Apache Group/Apache2/htdocs"
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
....and then a few lines down from that:
<Directory "C:/Program Files/Apache Group/Apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
As far as I understand, this allows access to the DocumentRoot folder, but
nothing else.
There are no VirtualHosts set up.
If I need to strip the system clean and start again, I will. But I wonder
if anyone can otherwise help me sort out this apparent vulnerability.
Thank you in advance,
Aaron Wells
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Thanks Jeff: Receiving shutdown signal from outside?
Posted by Aaron <aw...@idl.net.au>.
Thanks Jeff,
Yep, I wasn't shutting down properly.
I didn't mention before, but there are starts, restarts and shutdowns
occuring during times when I know I'm not doing it. It still seems to me
(inexperienced) that it's being controlled from outside.
It is running as a service.
I'll run the validation tool you mentioned.
I understand what you mean about the not installing in Program Files. Maybe
I'll change that later, though.
Thanks again.
Aaron
===============
> Hi Aaron,
>
> It seems that you never shut down the Apache service as you suppose to, if
> the Apache is installed as a NT service try running it as a service, if
it's
> not installed as a service go to the Apache\bin directory and type "apache
> -k install" to install the NT service.
> Run it as a system service and see which errors you get and if the service
> shuts down by itself again.
>
> I would also suggest you to use the config tool to validate your
> configuration, to make a validation tool, do as follows:
> Create a shortcut to the apache.exe file in the Apache\bin folder and then
> edit it to show like that:
> "c:\apache2\bin\Apache.exe -w -t -f c:\apache2\conf\httpd.conf -d
> c:\apache2"
>
> Just change the folders to be relevant to your apache's directory.
>
> My suggestion: Reinstall Apache to a directory under "c:\", do not make
> "program files" to be in use in the httpd.conf file or you'll have to add
""
> to any line it shows the apache directory.
>
> All the best,
> Jeff Cohen
> > -----Original Message-----
> > From: Aaron [mailto:awe@idl.net.au]
> > Sent: Tuesday, January 14, 2003 7:14 AM
> > To: users@httpd.apache.org
> > Subject: [users@httpd] Parent: Receiving shutdown signal from outside?
> >
> > "Hello" from Australia,
> >
> > I'm new to Apache. I have version 2.0.43 on Windows XP Pro.
> >
> > I have installed all Microsoft Windows XP security patches prior to SP1.
> > I
> > have been reluctant to install SP1 due to warnings I've heard about it
> > causing problems.
> >
> > I have used GRC's XPdite, from http://grc.com/xpdite/xpdite.htm
> >
> > In the Error Log, I find a number of entries like the following
examples:
> >
> > [Sun Jan 12 07:38:58 2003] [warn] pid file C:/Program Files/Apache
> > Group/Apache2/logs/httpd.pid overwritten -- Unclean shutdown of previous
> > Apache run?
> > [Sun Jan 12 07:38:59 2003] [notice] Parent: Created child process 1456
> > [Sun Jan 12 07:39:00 2003] [notice] Child 1456: Child process is running
> > [Sun Jan 12 07:39:00 2003] [notice] Child 1456: Acquired the start
mutex.
> > [Sun Jan 12 07:39:01 2003] [notice] Child 1456: Starting 250 worker
> > threads.
> > [Sun Jan 12 10:43:25 2003] [notice] Parent: Received shutdown signal --
> > Shutting down the server.
> > [Sun Jan 12 10:43:25 2003] [notice] Child 1456: Exit event signaled.
Child
> > process is ending.
> > [Sun Jan 12 10:43:26 2003] [notice] Child 1456: Released the start mutex
> > [Sun Jan 12 10:43:27 2003] [notice] Child 1456: Waiting for 250 worker
> > threads to exit.
> > [Sun Jan 12 10:43:27 2003] [notice] Child 1456: All worker threads have
> > exited.
> > [Sun Jan 12 10:43:27 2003] [notice] Child 1456: Child process is exiting
> > [Sun Jan 12 10:43:28 2003] [notice] Parent: Child process exited
> > successfully.
> >
> > [Sun Jan 12 22:02:52 2003] [error] [client 195.166.232.11] Client sent
> > malformed Host header
> > [Mon Jan 13 00:33:14 2003] [error] [client 199.243.77.42] Client sent
> > malformed Host header
> > [Mon Jan 13 09:42:26 2003] [warn] pid file C:/Program Files/Apache
> > Group/Apache2/logs/httpd.pid overwritten -- Unclean shutdown of previous
> > Apache run?
> >
> > There are more entries in the Error Log like the above examples. I
assume
> > this is not good. It appears to me (inexperienced) that someone is
> > controlling my server from the outside. I read about Stopping &
> > Restarting
> > at the Apache.org website, but it did not seem to mention whether this
was
> > something that could be done from outside.
> >
> > Assuming this is a vulnerability, is it addressed in WinXP SP1? ....or
> > can
> > I leave that out and alter some setting in the configuration file to
stop
> > this access? I seem to remember reading something about a parent/child
> > vulnerability with Apache on WinXP, but I can't find it now.
> >
> > I don't know if this helps, but this is how I have the DocumentRoot set
> > (I've stripped out the commenting here):
> >
> > UseCanonicalName Off
> >
> > DocumentRoot "C:/Program Files/Apache Group/Apache2/htdocs"
> >
> > <Directory />
> > Options FollowSymLinks
> > AllowOverride None
> > Order allow,deny
> > Deny from all
> > </Directory>
> >
> > ....and then a few lines down from that:
> >
> > <Directory "C:/Program Files/Apache Group/Apache2/htdocs">
> > Options Indexes FollowSymLinks
> > AllowOverride None
> > Order allow,deny
> > Allow from all
> > </Directory>
> >
> > As far as I understand, this allows access to the DocumentRoot folder,
but
> > nothing else.
> >
> > There are no VirtualHosts set up.
> >
> > If I need to strip the system clean and start again, I will. But I
wonder
> > if anyone can otherwise help me sort out this apparent vulnerability.
> >
> > Thank you in advance,
> > Aaron Wells
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Parent: Receiving shutdown signal from outside?
Posted by Jeff Cohen <ap...@gej-it.com>.
Hi Aaron,
It seems that you never shut down the Apache service as you suppose to, if
the Apache is installed as a NT service try running it as a service, if it's
not installed as a service go to the Apache\bin directory and type "apache
-k install" to install the NT service.
Run it as a system service and see which errors you get and if the service
shuts down by itself again.
I would also suggest you to use the config tool to validate your
configuration, to make a validation tool, do as follows:
Create a shortcut to the apache.exe file in the Apache\bin folder and then
edit it to show like that:
"c:\apache2\bin\Apache.exe -w -t -f c:\apache2\conf\httpd.conf -d
c:\apache2"
Just change the folders to be relevant to your apache's directory.
My suggestion: Reinstall Apache to a directory under "c:\", do not make
"program files" to be in use in the httpd.conf file or you'll have to add ""
to any line it shows the apache directory.
All the best,
Jeff Cohen
> -----Original Message-----
> From: Aaron [mailto:awe@idl.net.au]
> Sent: Tuesday, January 14, 2003 7:14 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] Parent: Receiving shutdown signal from outside?
>
> "Hello" from Australia,
>
> I'm new to Apache. I have version 2.0.43 on Windows XP Pro.
>
> I have installed all Microsoft Windows XP security patches prior to SP1.
> I
> have been reluctant to install SP1 due to warnings I've heard about it
> causing problems.
>
> I have used GRC's XPdite, from http://grc.com/xpdite/xpdite.htm
>
> In the Error Log, I find a number of entries like the following examples:
>
> [Sun Jan 12 07:38:58 2003] [warn] pid file C:/Program Files/Apache
> Group/Apache2/logs/httpd.pid overwritten -- Unclean shutdown of previous
> Apache run?
> [Sun Jan 12 07:38:59 2003] [notice] Parent: Created child process 1456
> [Sun Jan 12 07:39:00 2003] [notice] Child 1456: Child process is running
> [Sun Jan 12 07:39:00 2003] [notice] Child 1456: Acquired the start mutex.
> [Sun Jan 12 07:39:01 2003] [notice] Child 1456: Starting 250 worker
> threads.
> [Sun Jan 12 10:43:25 2003] [notice] Parent: Received shutdown signal --
> Shutting down the server.
> [Sun Jan 12 10:43:25 2003] [notice] Child 1456: Exit event signaled. Child
> process is ending.
> [Sun Jan 12 10:43:26 2003] [notice] Child 1456: Released the start mutex
> [Sun Jan 12 10:43:27 2003] [notice] Child 1456: Waiting for 250 worker
> threads to exit.
> [Sun Jan 12 10:43:27 2003] [notice] Child 1456: All worker threads have
> exited.
> [Sun Jan 12 10:43:27 2003] [notice] Child 1456: Child process is exiting
> [Sun Jan 12 10:43:28 2003] [notice] Parent: Child process exited
> successfully.
>
> [Sun Jan 12 22:02:52 2003] [error] [client 195.166.232.11] Client sent
> malformed Host header
> [Mon Jan 13 00:33:14 2003] [error] [client 199.243.77.42] Client sent
> malformed Host header
> [Mon Jan 13 09:42:26 2003] [warn] pid file C:/Program Files/Apache
> Group/Apache2/logs/httpd.pid overwritten -- Unclean shutdown of previous
> Apache run?
>
> There are more entries in the Error Log like the above examples. I assume
> this is not good. It appears to me (inexperienced) that someone is
> controlling my server from the outside. I read about Stopping &
> Restarting
> at the Apache.org website, but it did not seem to mention whether this was
> something that could be done from outside.
>
> Assuming this is a vulnerability, is it addressed in WinXP SP1? ....or
> can
> I leave that out and alter some setting in the configuration file to stop
> this access? I seem to remember reading something about a parent/child
> vulnerability with Apache on WinXP, but I can't find it now.
>
> I don't know if this helps, but this is how I have the DocumentRoot set
> (I've stripped out the commenting here):
>
> UseCanonicalName Off
>
> DocumentRoot "C:/Program Files/Apache Group/Apache2/htdocs"
>
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> Order allow,deny
> Deny from all
> </Directory>
>
> ....and then a few lines down from that:
>
> <Directory "C:/Program Files/Apache Group/Apache2/htdocs">
> Options Indexes FollowSymLinks
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
> As far as I understand, this allows access to the DocumentRoot folder, but
> nothing else.
>
> There are no VirtualHosts set up.
>
> If I need to strip the system clean and start again, I will. But I wonder
> if anyone can otherwise help me sort out this apparent vulnerability.
>
> Thank you in advance,
> Aaron Wells
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org