[Novalug] w00t and Dfind web scanner
Jason Kohles
jkohles at palantir.com
Mon Feb 13 09:31:35 EST 2012
The most likely answer is that something on your server that was scanned
didn't respond well to whatever the scanner sent it. If a process with an
active SSL session crashes while it holds a lock on the session cache, you
may see this happen when other sessions timeout while trying to acquire
the lock.
However, these errors did not bring your server down, they are symptoms of
crashing apache processes, whatever caused the processes to crash is most
likely what brought the server down.
--
Jason Kohles
Palantir Technologies | UNIX Systems Engineer
jkohles at palantir.com | 703.957.5784
On 2/12/12 1:41 PM, "Miguel González Castaños"
<miguel_3_gonzalez at yahoo.es> wrote:
Dear all,
I'm the system admin of a web server and I found these errors in my
apache logs:
[Tue Feb 07 10:35:08 2012] [warn] (43)Identifier removed: Failed to
release SSL session cache lock
[Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to
acquire SSL session cache lock
[Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to
release SSL session cache lock
[Tue Feb 07 10:36:05 2012] [warn] child process 21599 still did not
exit, sending a SIGTERM
[Tue Feb 07 10:36:06 2012] [notice] caught SIGTERM, shutting down
also some traces of Dfind web scanner:
[Mon Feb 06 05:54:01 2012] [error] [client 88.46.75.27] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind:)
I have added a rule into my iptables to block this and so far so good
However I don't know how these "failed to release SSL session cache
lock" managed to bring my apache server down and if they are somehow
related to these Dfind scans.
Any ideas?
Regards,
Miguel
_______________________________________________
Novalug mailing list
Novalug at calypso.tux.org
http://calypso.tux.org/mailman/listinfo/novalug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4634 bytes
Desc: not available
Url : http://calypso.tux.org/pipermail/novalug/attachments/20120213/c8507507/attachment-0001.bin
More information about the Novalug
mailing list