[Lula] apache-ssl dies silently

[Peter Benjamin]

At 12:51 PM 4/6/2007, TheBlueSage wrote:
>I shoudl also say that this setup has been running as a production
>server for the last year and been solid as a rock... it is only in the
>last week or so that this has started happening....

Ah, big clue.  It's likely an URL request exploit then.
That it happens continually, (every hour or so, or what?)
is the clue someone is honing their exploit, like just
honing, not targeting your computer, but they could be.

Running tcpdump for port 80 incoming and storing the binary
to look at the end of the day, or after a crash, is likely
going to find the URL GET Request causing this.

Easy to find in the tcpdump as there will be a gap in the
time period right for outgoing replies, as Apache is down.

You'll catch them now.

>I agree with you on the log thing... so annoying that it does not log
>BEFORE events, as well as after...
>
>The server is very well proceted behind a firewall, and after sniffing
>around I see no sign of intrusion....

No intrusion, exploit in Apache itself.
Thus, the reason I added the note about the logging,
to see all URLs and their POST/GET data coming in.
Typically it is GET that causes problems.

Google that.  Check the Apache exploit list.
SSL has an insecurity at that release level as well.
So check there.


>this is weird !

Not if someone is sending an URL exploit that works to crash it.
This is exactly what would happen.  I've had it happen to me,
all the time, regular, 2-3 times in one week, then nothing,
as the hacker finds there is no root access, just crash the
daemon, and it restarts up again, which is not much fun for
a hacker.

Thus, have you protected the version info in Apache, and
run nmap to see if the OS version is detectable?