httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Robertson" <Chris.Robert...@markettools.com>
Subject [users@httpd] HTTPD 2.2.3 possible exploit?
Date Mon, 02 Jul 2007 22:57:29 GMT
Over the weekend we had several servers that all experienced the same
symptoms (details below).  I've gone through the CVE, bugtraq, etc
archives and haven't found anything that matches either our versions or
the symptoms.

Symptoms:
- Server exhibits small jump in number of processes in queue and
utilization levels (possible probing attack?).  At this point the server
still appears to be functioning correctly.
- A couple hours later the server utilization goes to ~100% with
thousands of processes in the run queue and over the next ~1 hour runs
out of memory and stops answers any type of request (HTTP, SSH, SMTP,
console, etc).
- At some point during this progression the contents of the HTTPD root
folder, /var/log (on some), and /var/lib/mysql (on some) are copied to
/root/2/.  On at least some of the servers the system clock also got
seriously skewed.
- Restarting the server clears the symptoms up and no additional
processes start and/or are listening on the network (I'm still in
process of verifying that executables weren't replaced).

System details:
- OpenSuSE 10.2
- Kernel 2.6.18.2-34-default
- Apache 2.2.3-20
- Apache prefork 2.2.3-20
- Mod_PHP5 5.2.0-10 (some)
- Mod_PHP5 5.1.4-5 (some)

Is this an issue anyone has seen before?

Thanks,
Chris


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message