You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Karlis Kalviskis <ka...@lanet.lv> on 2001/09/19 08:38:47 UTC
mod_include/8362: Nimda worm and Customizable error response of Apache
>Number: 8362
>Category: mod_include
>Synopsis: Nimda worm and Customizable error response of Apache
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Tue Sep 18 23:40:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: karlo@lanet.lv
>Release: 1.3.20 Win32
>Organization:
apache
>Environment:
Number of Processors: 1
Processor Type: x86 Family 6 Model 8 Stepping 6
Windows Version: Windows NT 4.0
Current Build: 1381
Service Pack: 6a
>Description:
During Nimda worm attack, system started to genberate Dr.Watson error messages:
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
>>>
Dr.Watson for Windows NT
An application error has occureed and an application arror is being generated.
Apache.exe
Exeption: access violation(0xc0000005), Address: 0x6ff7b422
<<<
Good thing:
Apache continued to work an responded to any queries from Internet. :)
Bad thing:
Computers memory is fullfiled with Dr.Watson's error messages :(
There was no such kind of problem before Nimda worm.
It's very likely, that the problem is in
Customizable error response, SSI and amount of wrong queries from Internet:
Customizable error response (Apache style) - local redirects is activated:
ErrorDocument 403 /system/errordocs/403.shtml
ErrorDocument 404 /system/errordocs/404.shtml
ErrorDocument 500 /system/errordocs/500.shtml
The Dr.Watson error messages did not appear any more, after
local redirects have been turned off and other error response activated:
ErrorDocument 403 "Ko meklee?
ErrorDocument 404 "Nav atrodams!
ErrorDocument 500 "Atstaajies!
Here comes the content of 404.shtml:
--------------------
<!--#set var="virsraksts" value="Document not found ($REDIRECT_STATUS)" -->
<!--#include virtual="/system/Kopejie/kluda.shtml" -->
<Big>Atvaino, netika atrasts <i><b><!--#echo encoding="none" var="REQUEST_URI" --></b></i></Big>.
<p>S�c mekl�jumus no pamatlappuses <a href=/ TARGET=_top>http://<!--#echo encoding="none" var="SERVER_NAME" --></a>
<br>vai
<br>izmanto <a href=/scripts/texis.exe/atrodi/>mekl��anas iesp�jas</a>,
<br>vai
<br>atgriezies iepriek��j� lappus�, izmantojot savas p�rl�kprogrammas �<i>Back</i>� pogu.
<p>Ieteikumus un aizr�d�jumus s�ti uz <!--#echo encoding="none" var="SERVER_ADMIN" -->.
<p><hr>
<Big>Sorry, <i><b><!--#echo encoding="none" var="REQUEST_URI" --></b></i> not found</Big>
<p>Start Your search from <a href=/ TARGET=_top>http://<!--#echo encoding="none" var="SERVER_NAME" --></a>
<br>or
<br>use <a href=/scripts/texis.exe/Search/>Search engine</a>
<br>or
<br>use �Back� button from Your browser to return to the previous page.
<p>Your comments will be welcomed by <!--#echo encoding="none" var="SERVER_ADMIN" -->.
<p><!--#include virtual="/system/Kopejie/priede_bl.shtml" -->
</body></html>
--------------------------
Re: mod_include/8362: Nimda worm and Customizable error response of Apache
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
From: "Karlis Kalviskis" <ka...@lanet.lv>
Sent: Wednesday, September 19, 2001 1:38 AM
> >Synopsis: Nimda worm and Customizable error response of Apache
> >Release: 1.3.20 Win32
> >Environment:
> Number of Processors: 1
> Processor Type: x86 Family 6 Model 8 Stepping 6
> Windows Version: Windows NT 4.0
> Current Build: 1381
> Service Pack: 6a
> >Description:
> During Nimda worm attack, system started to genberate Dr.Watson error messages:
>
> There was no such kind of problem before Nimda worm.
> It's very likely, that the problem is in
> Customizable error response, SSI and amount of wrong queries from Internet:
>
> Customizable error response (Apache style) - local redirects is activated:
>
> ErrorDocument 403 /system/errordocs/403.shtml
> ErrorDocument 404 /system/errordocs/404.shtml
> ErrorDocument 500 /system/errordocs/500.shtml
Could you try simplifying your tags (drop all at first) and then reintroduce
the SSI tags one-by-one to determine if there is a specific tag that causes
this particular fault?
Bill
Re: mod_include/8362: Nimda worm and Customizable error response of Apache
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
----- Original Message -----
From: "Thomas"
Sent: Wednesday, September 19, 2001 6:38 PM
Subject: Re: Nimda causes my Apache 1.3.20/NT to crash
> thanks for the hint about the ErrorDocument directive and
> the URL to bug-file by Karlis.
>
> That was right on, disabling the redirects made Dr. Watson leave for good.
>
> However, I did some further investigating to pinpoint exactly what made
> mod_include blow up and found the the problem occurs at #include.
> Swithing between a file or a virtual attribute doesn't make any difference.
>
> So concluding for now, to preventing the Nimda related segfaults,
> you must remove any #includes from the ErrorDocument catching
> the Nimda requests (e.g. 404)
>
> I pretty sure this has to to with the malformed Host HTTP header that
> comes in with some of the Nimda requests. I remember awhile
> ago when fiddling with the Host header apache went crashing
> occationally. I didn't pay much attention to it then, but it makes sense
> now.
>
> ---
> GET /scripts/root.exe?/c+dir HTTP/1.0
> Connection: close
> Host: www
> ---