You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1997/06/02 15:53:52 UTC

Re: Security problem ?

Hi, I'll forward your mail to the developers mailing list.
There are no known security problems at the moment. Hopefully
your httpd just blew up in sympathy when the rest of the system
went bad.

One thing to check is the activity of the 'problem' user before
the incident. Does it look like reasonable usage or someone
probing ?


On Mon, 2 Jun 1997, Chris Cason wrote:

> Hi ... I didn't want to post this publicly because
> 
>   1) it's probably not a bug, but
>   2) if it is, it's possibly a security compromise.
> 
> I'm running 1.2 beta 10 on http://www.povray.org/ (i86 Linux). Something
> weird happened yesterday and I'm still trying to work out what. I lost the
> ability to contact the machine for a time ; the server was up but was working
> strangely, and I could not log in via ssh or telnet.
> 
> When I could finally get in, I rebooted and examined various log files for the 
> cause. The HTTPD transfer_log for that particular virtual server showed that 
> it had stopped at a certain time, and the _very last_ entries in it were 
> these (I have to hex dump as it contains high-ASCII) -
> 
> 00  6D 61 6E 68 61 74 74 61-6E 2E 74 68 69 72 64 77   manhattan.thirdw
> 10  61 76 65 2E 6E 65 74 20-2D 20 2D 20 5B 30 31 2F   ave.net - - [01/
> 20  4A 75 6E 2F 31 39 39 37-3A 31 32 3A 33 38 3A 31   Jun/1997:12:38:1
> 30  36 20 2D 30 37 30 30 5D-20 22 FF FA 25 03 72 6F   6 -0700] "..%.ro
> 40  6F 74 FF F0 3F 22 20 34-30 30 20 2D 20 22 2D 22   ot..?" 400 - "-"
> 50  20 22 2D 22 0A 6D 61 6E-68 61 74 74 61 6E 2E 74    "-".manhattan.t
> 60  68 69 72 64 77 61 76 65-2E 6E 65 74 20 2D 20 2D   hirdwave.net - -
> 70  20 5B 30 31 2F 4A 75 6E-2F 31 39 39 37 3A 31 32    [01/Jun/1997:12
> 80  3A 35 35 3A 32 39 20 2D-30 37 30 30 5D 20 22 FF   :55:29 -0700] ". 
> 90  FA 25 03 72 6F 6F 74 FF-F0 68 65 6C 6C 6F 22 20   .%.root..hello" 
> A0  34 30 30 20 2D 20 22 2D-22 20 22 2D 22 0A 90 0E   400 - "-" "-"...
> 
> followed by
> 
> manhattan.thirdwave.net - - [01/Jun/1997:12:56:13 -0700] "GET / HTTP/1.0" 200
>   1085 "-" "Lynx 2.5  libwww-FM/2.14"
> manhattan.thirdwave.net - - [01/Jun/1997:12:56:16 -0700] "GET /nf-index.html  
>   HTTP/1.0" 200 17342 "-" "Lynx 2.5  libwww-FM/2.14"
> 
> there is nothing else in the log file beyond that point. what set off alarm
> bells for me was the above hexdump contains some binary surrounding the word
> 'root', and the machine stopped working almost immediately after that (we
> normally get about two hits per second on that server.)
> 
> Is there anything in the above information that is of interest to you ?
> 
> regards,
> 
> -- Chris Cason
> 
> 
> 

--
Rob Hartill                              Internet Movie Database (Ltd)
http://www.moviedatabase.com/   .. a site for sore eyes.