[prev in list] [next in list] [prev in thread] [next in thread]
List: jaxlug-list
Subject: [JaxLUG] [Fwd: [suse-security] Apache worm in the wild - forwarded from
From: "Thomas E. Beasley, Jr." <beesknees () earthlink ! net>
Date: 2002-06-30 21:08:38
[Download RAW message or body]
Hi friends of JaxLug,
I'm passing this on from the SuSE list FYI.
Catch you later,
Tom , in _ usually _ sunny, balmy Florida's First Coast.
><> <><
With enough eyes, all bugs are shallow. -Linus Torvalds
><> <><
____________________________________________________________________________
This message originated from a Unix computer using Open Source software:
SuSE Linux 7.2 Pro, Galeon 1.2.0-9 Browser, AbiWord 1.0.1 Word
Processor, OpenOffice 1.0 and Evolution 1.0.5-1 Groupware Suite. Have a
lot of fun!!! (Unix is like a wigwam -- no Gates, no Windows, and an
Apache inside.)
Status: U
Return-Path: <suse-security-return-14436-beesknees=earthlink.net@suse.com>
Received: from lists.suse.com ([217.9.113.68]) by emu (EarthLink SMTP
Server) with SMTP id 17o0vR2tm3NZFnx0 for <beesknees@earthlink.net>; Fri,
28 Jun 2002 11:30:30 -0700 (PDT)
Received: (qmail 17238 invoked by alias); 28 Jun 2002 18:27:45 -0000
Mailing-List: contact suse-security-help@suse.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:suse-security@suse.com>
List-Help: <mailto:suse-security-help@suse.com>
List-Unsubscribe: <mailto:suse-security-unsubscribe@suse.com>
List-Subscribe: <mailto:suse-security-subscribe@suse.com>
X-MIME-Notice: attachments may have been removed from this message
X-Mailinglist: suse-security
Delivered-To: mailing list suse-security@suse.com
Received: (qmail 17211 invoked from network); 28 Jun 2002 18:27:44 -0000
From: Christoph Wegener <cwe@bph.ruhr-uni-bochum.de>
To: suse-security@suse.com
Date: Fri, 28 Jun 2002 20:27:48 +0200
X-Priority: 3 (Normal)
Organization: Lehrstuhl fuer Biophysik - Ruhr-Universitaet Bochum
Message-Id: <LJBA2XFD2U6545YA8GBKEB6KHRQ72OJ.3d1caaa4@gonzo>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
X-Mailer: Opera 6.03 build 1107
Subject: [suse-security] Apache worm in the wild - forwarded from
debian-security
Hi everybody,
FYI: here is a little summary from debian-security from this day concerning the "apache worm"....
Enjoy and have a happy weekend ;))
Christoph
------- Start of forwarded message -------
From: Domas Mituzas <domas.mituzas@microlink.lt>
To: freebsd-security@FreeBSD.ORG
Cc: bugtraq@securityfocus.com, os_bsd@konferencijos.lt
Subject: Fwd: Apache worm in the wild
Date: 28.6.2002 13:01:32
Hi,
our honeypot systems trapped new apache worm(+trojan) in the wild. It
traverses through the net, and installs itself on all vulnerable apaches
it finds. No source code available yet, but I put the binaries into public
place, and more investigation is to be done.
http://dammit.lt/apache-worm/
Regards,
Domas Mituzas
Central systems @ MicroLink Data
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
-------- End of forwarded message --------
On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote:
Hi,
> our honeypot systems trapped new apache worm(+trojan) in the wild. It
> traverses through the net, and installs itself on all vulnerable apaches
> it finds. No source code available yet, but I put the binaries into public
Wow, an interesting puppy. I just ran it through dasm to get the
assembler dump. The executable is not even stripped, and makes an
interesting read, as it gives lots of information. It looks like it was
either coded by someone with little experience or in a hurry, and there
are several system calls like this one:
Possible reference to string:
"/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/
tmp/.a %s;exit;"
I wonder how many variants of this kind of thing we'll see, but I assume most people
running Apache have upgraded already.
Cheers,
--
Miguel Mendez - flynn@energyhq.homeip.net
GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt
EnergyHQ :: http://www.energyhq.tk
Of course it runs NetBSD!
------ Start of forwarded message -------
From: Brett Glass <brett@lariat.org>
To: flynn@energyhq.homeip.net, Domas Mituzas <domas.mituzas@microlink.lt>
Cc: freebsd-security@FreeBSD.ORG, bugtraq@securityfocus.com, os_bsd@konferencijos.lt
Subject: Fwd: Re: Apache worm in the wild
Date: 28.6.2002 19:27:13
At 05:38 AM 6/28/2002, flynn@energyhq.homeip.net wrote:
>I wonder how many variants of this kind of thing we'll see, but I assume most people
>running Apache have upgraded already.
Upgrading Apache may prevent your system from being taken over,
but it doesn't necessarily prevent it from being DoSed. One of
my Apache servers, which had been upgraded to 2.0.39, went berserk
on June 25th, spawning the maximum number of child processes and
then locking up. The server did not appear to have been infiltrated,
but the logs were filled with megabytes of messages indicating that
the child processes were repeatedly trying to free chunks of memory
that were already free. Probably the result of an attempted exploit
going awry. (It could have been aimed at Linux, or at a different
version of Apache; can't tell. But clearly it got somewhere, though
not all the way.)
--Brett
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
-------- End of forwarded message --------
------- Start of forwarded message -------
From: "wink" <wink@deceit.org>
To: "Domas Mituzas" <domas.mituzas@microlink.lt>, freebsd-security@FreeBSD.ORG
Cc: bugtraq@securityfocus.com, os_bsd@konferencijos.lt
Subject: Fwd: Re: Apache worm in the wild
Date: 28.6.2002 20:10:05
Running strings on the binary amongst other things produces an ip address
(12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also:
FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)
I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them
immutable as I didn't see any real error handling on failed i/o operations.
Some other strings not mentioned yet are:
rm -rf /tmp/.a;cat > /tmp/.uua << __eof__;
mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s
that's all i have time for at the moment.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
-------- End of forwarded message --------
--
.-. Ruhr-Universitaet Bochum
/v\ L I N U X Lehrstuhl fuer Biophysik
// \\ >Penguin Computing< c/o Christoph Wegener
/( )\ Gebaeude ND 04/Nord
^^-^^ D-44780 Bochum, GERMANY
Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626
mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de
--
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here
_______________________________________________
Jaxlug-list mailing list
http://jaxlug.org/mailman/listinfo/jaxlug-list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic