4

[Edit, addition]: Looks like this could be caused by an attack attempt. But not sure how it can be avoided? https://www.mail-archive.com/bugs@httpd.apache.org/msg57219.html

I have an Ubuntu server with apache2. mod_proxy is forwarding requests to a java web server on a local port

ProxyPass / http://localhost:9003/ retry=0

Yesterday I suddenly started seeing errors. Sometimes there seems to be an error from the perspective of apache mod_proxy. The default "error" page is shown instead of the data from the backend server. Apache error log:

[Mon Jan 31 08:16:09.800927 2022] [proxy:error] [pid 1061:tid 140673390929664] (13)Permission denied: AH02454: HTTP: attempt to connect to Unix domain socket /var/run/apache2/ (localhost) failed
[Mon Jan 31 08:16:09.801876 2022] [proxy:error] [pid 1061:tid 140673390929664] AH00959: ap_proxy_connect_backend disabling worker for (localhost) for 0s

This started suddenly, with no known changes or updates on the machine. It is shifting all the time. Working for some time, then not working for some time etc., with seemingly no pattern.

There is no load on the machine, and no errors or noteworthy output from the java server at all.

Any ideas?

Dennis Thrysøe
  • 139
  • 4
  • Having the same strange symptoms than you in our production servers, without any changes too. Not to much informative, but let you know that - imho - you're not isolated – Sir McPotato Jan 31 '22 at 15:25
  • We were seeing this today as well on some of our production servers... an Apache restart cleared it up at least for the time being... we are continuing to monitor our servers. – rogiller Jan 31 '22 at 16:58
  • We are seeing this issue too. FYI, for us, Apache is fronting a Tomcat container – Kunal Jan 31 '22 at 23:08
  • 3
    Found https://www.traccar.org/forums/topic/server-error/ this morning... the one commenter there seems to think it's an Apache exploit and links to https://www.rapid7.com/blog/post/2021/11/30/active-exploitation-of-apache-http-server-cve-2021-40438/ – rogiller Feb 01 '22 at 12:53
  • @rogiller I think this is indeed related, thanks! Time to plan updates – Sir McPotato Feb 02 '22 at 09:32
  • In that same rapid7 page says that is advisable to upgrade to 2.4.51 (time of writting) due to other vulnerabilities found in 2.4.49 ans 2.4.50. Just for everyone to know. I just upgraded my production server to 2.4.52. Thank you everyone. – gmanjon Feb 06 '22 at 20:45

0 Answers0