bert

Well-Known Member
Aug 21, 2001
602
0
316
Apache is going down on two of our servers every few hours, it does not restart on its own, so chkservd restarts it, the error log is showing these errors:

[error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
[warn] pid file /usr/local/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[crit] (98)Address already in use: make_sock: could not bind to port 443

Could this be related to the new OpenSSL worm? Any thoughts?
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:c7b35f2dc9][i:c7b35f2dc9]Originally posted by bert[/i:c7b35f2dc9]

Apache is going down on two of our servers every few hours, it does not restart on its own, so chkservd restarts it, the error log is showing these errors:

[error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
[warn] pid file /usr/local/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[crit] (98)Address already in use: make_sock: could not bind to port 443

Could this be related to the new OpenSSL worm? Any thoughts?
[/quote:c7b35f2dc9]
What is your Red Hat version?
Also what is your OpenSSL release?
try this
rpm -qa openssl*
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
Running RedHat 7.2 - 2.4.18
openssl095a-0.9.5a-18
openssl-devel-0.9.6b-28
openssl-0.9.6b-28

The same apply to both servers.
 

itf

Well-Known Member
May 9, 2002
624
0
316
Search your log files Do you have some like these tracks:

[13/Sep/2002 21:22:03 17376] [error] SSL handshake failed (server
host.domain.com:443, client xxx.xxx.xxx.xxx) (OpenSSL library error
follows)
[13/Sep/2002 21:22:03 17376] [error] OpenSSL: error:1406B458:SSL
routines:GET_CLIENT_MASTER_KEY:key arg too long
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
Yes!

[Sun Sep 22 09:38:10 2002] [error] mod_ssl: SSL handshake failed (server server18.pronicsolutions.com:443, client 62.31.248.32) (OpenSSL library error follows)
[Sun Sep 22 09:38:10 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long

On both servers.
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:bfe54dee58][i:bfe54dee58]Originally posted by bert[/i:bfe54dee58]

Yes!

[Sun Sep 22 09:38:10 2002] [error] mod_ssl: SSL handshake failed (server server18.pronicsolutions.com:443, client 62.31.248.32) (OpenSSL library error follows)
[Sun Sep 22 09:38:10 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long

On both servers.[/quote:bfe54dee58]
Unfortunately these are tracks of Slapper worm virus, but don't worry I'll help you.

It uses buffer overflow for DoS attack.

But did your apache fail after those tracks of errors?
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
Yes, apache fails on these two boxes after that, it is not restarted own its own, but with the help of chkservd.

Our servers are behind a firewall though, even if we get the worm, the worm will not be able to attach other machines, however this is very annoying because it kills apache every few minutes/hours.

Do you have a suggestion to block these?
 

itf

Well-Known Member
May 9, 2002
624
0
316
First if you have other boxes
pico /etc/httpd/conf/httpd.conf

And put this line in it

ServerTokens ProductOnly

Restart Apache,

These two servers were using the latest patched builds by Red Hat but they infected, may be a newer version of that worm or weakness in patches first we have to find this,

Did you install latest buildapache.sea?
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
Hmmm. You mean they are infected? Any tips on removing the worm?

I run buildapache about a week ago when the worm first came out, it is the one before the latest I believe.
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:a61351e0b6][i:a61351e0b6]Originally posted by bert[/i:a61351e0b6]

Hmmm. You mean they are infected? Any tips on removing the worm?

I run buildapache about a week ago when the worm first came out, it is the one before the latest I believe.[/quote:a61351e0b6]

May be, but if you want to make sure, install the latest buildapache.sea, then re-install your current openssl RPM packages from Red Hat, reboot your system and wait for an Apache server down then let me know that error.
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
You mean re-install the existing RPM packages after recompiling Apache?
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
I searched the machines for bugtraq and could not find anything. I will in the mean time start recompiling apache on them.

By the way, what is the directive you asked me to put in httpd.conf for?

Thanks!!!
 

itf

Well-Known Member
May 9, 2002
624
0
316
Bert,

in a Root SSH session use this command:

find /tmp -name '.bug*'

and let me know if you have these files

If you haven't these file you are not infected.

/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/.bugtraq


Also check if you have a running process with this name: '.bugtraq'
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
I already did it, you probably missed my earlier post. I did not find anything on any machine.

Could you tell me though what is the ServerTokens ProductOnly entry for?

I am rebuilding apache as I write this.

Thanks again :)
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:40d73625d2][i:40d73625d2]Originally posted by bert[/i:40d73625d2]

I already did it, you probably missed my earlier post. I did not find anything on any machine.

Could you tell me though what is the ServerTokens ProductOnly entry for?

I am rebuilding apache as I write this.

Thanks again :)[/quote:40d73625d2]
If you haven't bugtraq file or in your process your systems are clear, it was an attempt by Slapper without any success. :)

OK., Slapper uses Apache and OpenSSL versions via HTTP headers, by putting ServerTokens in your httpd.conf it will ignore your system
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
Thanks for all your help!

Still, should I just live with apache crashing in these two machines without paying much attention?
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:6feb79c9bb][i:6feb79c9bb]Originally posted by bert[/i:6feb79c9bb]

Thanks for all your help!

Still, should I just live with apache crashing in these two machines without paying much attention?[/quote:6feb79c9bb]
After upgrading buildapache.sea, try /scripts/upcp and then reboot your server
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
I will certainly do that.

Thanks again for all the help :)
 

itf

Well-Known Member
May 9, 2002
624
0
316
For the Others who may read this thread:

If you have security updates enabled in WHM you shouldn't have to worry about this.

read this thread for more information (I discussed there):

http://forums.cpanel.net/read.php?TID=4602
 

itf

Well-Known Member
May 9, 2002
624
0
316
For the Others who may read this thread:

If you have security updates enabled in WHM you shouldn't have to worry about this.

read this thread for more information (I discussed there):

http://forums.cpanel.net/read.php?TID=4602