You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Miguel González Castaños <mi...@yahoo.es> on 2012/02/12 20:02:04 UTC

[users@httpd] w00t and Dfind web scanner

Dear all,

   I'm the system admin of a web server and I found these errors in my 
apache logs:

[Tue Feb 07 10:35:08 2012] [warn] (43)Identifier removed: Failed to 
release SSL session cache lock
[Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to 
acquire SSL session cache lock
[Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to 
release SSL session cache lock
[Tue Feb 07 10:36:05 2012] [warn] child process 21599 still did not 
exit, sending a SIGTERM
[Tue Feb 07 10:36:06 2012] [notice] caught SIGTERM, shutting down

also some traces of Dfind web scanner:

[Mon Feb 06 05:54:01 2012] [error] [client 88.46.75.27] client sent 
HTTP/1.1 request without hostname (see RFC2616 section 14.23): 
/w00tw00t.at.ISC.SANS.DFind:)

I have added a rule into my iptables to block this and so far so good

However I don't know how these "failed to release SSL session cache 
lock" managed to bring my apache server down and if they are somehow 
related to these Dfind scans.

Any ideas?

Regards,

Miguel


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] w00t and Dfind web scanner

Posted by Miguel González Castaños <mi...@yahoo.es>.

On 14/02/2012 03:02, Igor Cicimov wrote:
> Check this link
>
> http://httpd.apache.org/docs/2.2/mod/mpm_common.html#acceptmutex
>
> and try to add
>
> AcceptMutex pthread
>
> to your config in case you run mpm_worker.
But in the info it says it can be used with prefork and worker

Since it's a CentOS machine is was build with prefork as default. Is 
this option (prefork) causing this issue? Can I set it up for using 
AcceptMutex even when I'm using prefork?

Many thanks,

Miguel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] w00t and Dfind web scanner

Posted by Igor Cicimov <ic...@gmail.com>.

Check this link

http://httpd.apache.org/docs/2.2/mod/mpm_common.html#acceptmutex

and try to add

AcceptMutex pthread

to your config in case you run mpm_worker.

2012/2/14 Miguel González Castaños <mi...@yahoo.es>

>
>
>> What OS, kernel, httpd version?
>> If linux, /var/log/messages|kernel_log|**daemon_log   can also often
>> give some indication of problems.
>>
>>  I have checked /var/log/messages (the other two don't exist) and I don't
> find anything. What can cause those SSL cache locks  to bring the server
> down?
>
> Regards,
>
> Miguel
>
> ------------------------------**------------------------------**---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/**userslist.html<http://httpd.apache.org/userslist.html>>
> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.org<us...@httpd.apache.org>
>  "   from the digest: users-digest-unsubscribe@**httpd.apache.org<us...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] w00t and Dfind web scanner

Posted by Miguel González Castaños <mi...@yahoo.es>.

>
> What OS, kernel, httpd version?
> If linux, /var/log/messages|kernel_log|daemon_log   can also often 
> give some indication of problems.
>
I have checked /var/log/messages (the other two don't exist) and I don't 
find anything. What can cause those SSL cache locks  to bring the server 
down?

Regards,

Miguel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] w00t and Dfind web scanner

Posted by Miguel González Castaños <mi...@yahoo.es>.

>
> What OS, kernel, httpd version?
> If linux, /var/log/messages|kernel_log|daemon_log   can also often 
> give some indication of problems.
>

Yes, it's linux Centos 5.5 kernel 2.6.18-194.3.1.el5 and 
httpd-2.2.3-53.el5.centos.3

Regards,

Miguel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] w00t and Dfind web scanner

Posted by Noel Butler <no...@ausics.net>.

On Sun, 2012-02-12 at 20:02 +0100, Miguel González Castaños wrote:

> Dear all,
> 
>    I'm the system admin of a web server and I found these errors in my 
> apache logs:
> 
> [Tue Feb 07 10:35:08 2012] [warn] (43)Identifier removed: Failed to 
> release SSL session cache lock
> [Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to 
> acquire SSL session cache lock
> [Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to 
> release SSL session cache lock
> [Tue Feb 07 10:36:05 2012] [warn] child process 21599 still did not 
> exit, sending a SIGTERM
> [Tue Feb 07 10:36:06 2012] [notice] caught SIGTERM, shutting down
> 
> also some traces of Dfind web scanner:
> 
> [Mon Feb 06 05:54:01 2012] [error] [client 88.46.75.27] client sent 
> HTTP/1.1 request without hostname (see RFC2616 section 14.23): 
> /w00tw00t.at.ISC.SANS.DFind:)
> 

Wouldn't worry too much, the world is full of scan scripts, both good,
and some bad.


> I have added a rule into my iptables to block this and so far so good
> 
> However I don't know how these "failed to release SSL session cache 
> lock" managed to bring my apache server down and if they are somehow 
> related to these Dfind scans.
> 


What OS, kernel, httpd version?
If linux, /var/log/messages|kernel_log|daemon_log   can also often give
some indication of problems.