Apache worm in the wild - forwarded from debian-security

Hi everybody, FYI: here is a little summary from debian-security from this day concerning the "apache worm".... Enjoy and have a happy weekend ;)) Christoph ------- Start of forwarded message ------- From: Domas Mituzas To: freebsd-security@FreeBSD.ORG Cc: bugtraq@securityfocus.com, os_bsd@konferencijos.lt Subject: Fwd: Apache worm in the wild Date: 28.6.2002 13:01:32 Hi, our honeypot systems trapped new apache worm(+trojan) in the wild. It traverses through the net, and installs itself on all vulnerable apaches it finds. No source code available yet, but I put the binaries into public place, and more investigation is to be done. http://dammit.lt/apache-worm/ Regards, Domas Mituzas Central systems @ MicroLink Data To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -------- End of forwarded message -------- On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote: Hi,

our honeypot systems trapped new apache worm(+trojan) in the wild. It traverses through the net, and installs itself on all vulnerable apaches it finds. No source code available yet, but I put the binaries into public

Wow, an interesting puppy. I just ran it through dasm to get the assembler dump. The executable is not even stripped, and makes an interesting read, as it gives lots of information. It looks like it was either coded by someone with little experience or in a hurry, and there are several system calls like this one: Possible reference to string: "/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/ tmp/.a %s;exit;" I wonder how many variants of this kind of thing we'll see, but I assume most people running Apache have upgraded already. Cheers, -- Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk Of course it runs NetBSD! ------ Start of forwarded message ------- From: Brett Glass To: flynn@energyhq.homeip.net, Domas Mituzas Cc: freebsd-security@FreeBSD.ORG, bugtraq@securityfocus.com, os_bsd@konferencijos.lt Subject: Fwd: Re: Apache worm in the wild Date: 28.6.2002 19:27:13 At 05:38 AM 6/28/2002, flynn@energyhq.homeip.net wrote:

I wonder how many variants of this kind of thing we'll see, but I assume most people running Apache have upgraded already.

Upgrading Apache may prevent your system from being taken over, but it doesn't necessarily prevent it from being DoSed. One of my Apache servers, which had been upgraded to 2.0.39, went berserk on June 25th, spawning the maximum number of child processes and then locking up. The server did not appear to have been infiltrated, but the logs were filled with megabytes of messages indicating that the child processes were repeatedly trying to free chunks of memory that were already free. Probably the result of an attempted exploit going awry. (It could have been aimed at Linux, or at a different version of Apache; can't tell. But clearly it got somewhere, though not all the way.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -------- End of forwarded message -------- ------- Start of forwarded message ------- From: "wink" To: "Domas Mituzas" , freebsd-security@FreeBSD.ORG Cc: bugtraq@securityfocus.com, os_bsd@konferencijos.lt Subject: Fwd: Re: Apache worm in the wild Date: 28.6.2002 20:10:05 Running strings on the binary amongst other things produces an ip address (12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also: FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them immutable as I didn't see any real error handling on failed i/o operations. Some other strings not mentioned yet are: rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s that's all i have time for at the moment. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -------- End of forwarded message -------- -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de