OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Christoph Wegener (cwebph.ruhr-uni-bochum.de)
Date: Fri Jun 28 2002 - 13:27:48 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi everybody,

    FYI: here is a little summary from debian-security from this day concerning the "apache worm"....

    Enjoy and have a happy weekend ;))
    Christoph

    ------- Start of forwarded message -------
    From: Domas Mituzas <domas.mituzasmicrolink.lt>
    To: freebsd-securityFreeBSD.ORG
    Cc: bugtraqsecurityfocus.com, os_bsdkonferencijos.lt
    Subject: Fwd: Apache worm in the wild
    Date: 28.6.2002 13:01:32

    Hi,

    our honeypot systems trapped new apache worm(+trojan) in the wild. It
    traverses through the net, and installs itself on all vulnerable apaches
    it finds. No source code available yet, but I put the binaries into public
    place, and more investigation is to be done.

    http://dammit.lt/apache-worm/

    Regards,
    Domas Mituzas

    Central systems MicroLink Data

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message

    -------- End of forwarded message --------

    On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote:

    Hi,

    > our honeypot systems trapped new apache worm(+trojan) in the wild. It
    > traverses through the net, and installs itself on all vulnerable apaches
    > it finds. No source code available yet, but I put the binaries into public

    Wow, an interesting puppy. I just ran it through dasm to get the
    assembler dump. The executable is not even stripped, and makes an
    interesting read, as it gives lots of information. It looks like it was
    either coded by someone with little experience or in a hurry, and there
    are several system calls like this one:

    Possible reference to string:
    "/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/
    tmp/.a %s;exit;"

    I wonder how many variants of this kind of thing we'll see, but I assume most people
    running Apache have upgraded already.

    Cheers, 

    --
        Miguel Mendez - flynnenergyhq.homeip.net
        GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt
        EnergyHQ :: http://www.energyhq.tk
        Of course it runs NetBSD!

    ------ Start of forwarded message -------
From: Brett Glass <brettlariat.org>
To: flynnenergyhq.homeip.net, Domas Mituzas <domas.mituzasmicrolink.lt>
Cc: freebsd-securityFreeBSD.ORG, bugtraqsecurityfocus.com, os_bsdkonferencijos.lt
Subject: Fwd: Re: Apache worm in the wild
Date: 28.6.2002 19:27:13

    At 05:38 AM 6/28/2002, flynnenergyhq.homeip.net wrote:

    >I wonder how many variants of this kind of thing we'll see, but I assume most people 
>running Apache have upgraded already.

    Upgrading Apache may prevent your system from being taken over,
but it doesn't necessarily prevent it from being DoSed. One of
my Apache servers, which had been upgraded to 2.0.39, went berserk 
on June 25th, spawning the maximum number of child processes and
then locking up. The server did not appear to have been infiltrated,
but the logs were filled with megabytes of messages indicating that
the child processes were repeatedly trying to free chunks of memory 
that were already free. Probably the result of an attempted exploit
going awry. (It could have been aimed at Linux, or at a different
version of Apache; can't tell. But clearly it got somewhere, though
not all the way.)

    --Brett

    To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

    -------- End of forwarded message --------

    ------- Start of forwarded message -------
From: "wink" <winkdeceit.org>
To: "Domas Mituzas" <domas.mituzasmicrolink.lt>, freebsd-securityFreeBSD.ORG
Cc: bugtraqsecurityfocus.com, os_bsdkonferencijos.lt
Subject: Fwd: Re: Apache worm in the wild
Date: 28.6.2002 20:10:05

    Running strings on the binary amongst other things produces an ip address
(12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also:

    FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)

    I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them
immutable as I didn't see any real error handling on failed i/o operations.
Some other strings not mentioned yet are:

    rm -rf /tmp/.a;cat > /tmp/.uua << __eof__;
mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s

    that's all i have time for at the moment.

    To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

    -------- End of forwarded message --------
--
    .-.                             Ruhr-Universitaet Bochum
    /v\    L   I   N   U   X        Lehrstuhl fuer Biophysik
   // \\  >Penguin Computing<       c/o Christoph Wegener
  /(   )\                           Gebaeude ND 04/Nord
   ^^-^^                            D-44780 Bochum, GERMANY

    Tel: +49 (234) 32-25754             Fax: +49 (234) 32-14626
mailto:cwebph.ruhr-uni-bochum.de   http://www.bph.ruhr-uni-bochum.de

    -- 
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here