ID: 19655 Comment by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Feedback Bug Type: Session related Operating System: 2.2.20 PHP Version: 4.2.3 New Comment:
> and are you 100% sure you're really compiling with 0.9.6g ? Yes, Apache+mod_ssl are linked with a just "untagzip'ed and compiled" openssl-0.9.6g ... > And that ALL your software is linked with it? Why would other software be linked with it ? We're only takking about a httpd process, not the whole of the system. > Best way to be sure about it is to first remove all binaries > compiled with openssl and all old openssl libraries from your system > and compile the latest from scratch. Why would I do that ? I am sure the steps I made : it is an Apache+0.9.6g (as shown in headers) and it is crashed by the worm code :( Georges Previous Comments: ------------------------------------------------------------------------ [2002-09-29 17:33:36] [EMAIL PROTECTED] Please, don't sign your comments..and are you 100% sure you're really compiling with 0.9.6g ? And that ALL your software is linked with it? Best way to be sure about it is to first remove all binaries compiled with openssl and all old openssl libraries from your system and compile the latest from scratch. ------------------------------------------------------------------------ [2002-09-29 16:45:14] [EMAIL PROTECTED] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I feel like sure ( :-) ) that Apache/OpenSSL 0.9.6g is still vulnerable to a Slapper worm attack ... I downloaded "Slapper worm like" code - available "for testing prupose only" - from somewhere on the Internet, modified it to ensure it will only attack my server when launched, and then launched it ... Everything occured normally, the virus didn't infect my computer, the same behaviour as the very first attacks. I used my httpd server and segfaulted it by doing it ... I have gdb'ed my httpd+core, and arrived on the same place in source code as mentioned in first first gdb log. The worm-like had crashed my apache. I checked logged and was the only one to attack the computer. That means that OpenSSL 0.9.6g is not safe right now ... I retried several times again but failed to reproduce the crash ... That's why I "feel like sure" :-) Anyway - and perhaps because of my parano. :) - I have closed my 443 window and wait for a better weather outside ;-) openssl-0.9.6h.tar.gz ? :) An advice ... My apache logs are showing tonight : Unknown(0) : Notice - Login failed: authentication failure (errflg=1) Unknown(0) : Notice - Login failed: authentication failure (errflg=1) Unknown(0) : Notice - Login failed: authentication failure (errflg=1) Unknown(0) : Notice - Too many login failures (errflg=2) -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBPZdy0BTEKqrwXlPeEQKg2ACeM+Lm5/S4PyhWykqbJYdVJaH2S1YAn3F8 XZBoIUmzRJ71rEgPRzoEm6/6 =fJ52 -----END PGP SIGNATURE----- ------------------------------------------------------------------------ [2002-09-29 14:39:43] [EMAIL PROTECTED] Well, the braces values indicate the release version I used to compiled ... The configure script is called by a shell script rebuilding automatically everything, in order to upgrade easilly the packages when new releases are availables ... Yes, the "session mm" appears under "Additional Modules" section ... And the handler is correct (session.save_handler -> mm) ... It seems that this trouble only occurs when the Apache server is hit by the OpenSSL/Worm Slapper (see http://www.cert.org/advisories/CA-2002-27.html) ... My apache is build with a 0.9.6g OpenSSL so that the worm can't infect the server, but it could may be corrupt the memory ? I rebuilt Apache+mod_php with --enable-debug=yes and re-opened the https port, waiting for the trouble to reapper, creating a core file ... Right now, the problem stopped like everytime I stop and restart the httpd process. Strange strange strange ... ------------------------------------------------------------------------ [2002-09-29 14:23:28] [EMAIL PROTECTED] Is your configure line REALLY like that? I think it's just that you haven't got MM support. Check phpinfo() output for 'Additional Modules' list. There should be 'session mm' entry if you have it. (I can't reproduce that segfault with 4.2.3 or 4.3.0-dev) ------------------------------------------------------------------------ [2002-09-29 08:26:12] [EMAIL PROTECTED] Please recompile PHP with --enable-debug and provide a new backtrace. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/19655 -- Edit this bug report at http://bugs.php.net/?id=19655&edit=1
