From owner-freebsd-security Fri Jun 28 9:26:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from neptun.twoj.pl (neptun.goo.pl [80.48.39.2]) by hub.freebsd.org (Postfix) with ESMTP id 0201A37B401 for ; Fri, 28 Jun 2002 09:26:11 -0700 (PDT) Received: by neptun.twoj.pl (Postfix, from userid 107) id A5DA43AC07; Fri, 28 Jun 2002 18:21:00 +0200 (CEST) Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by neptun.twoj.pl (Postfix) with ESMTP id 271D83ABD3 for ; Fri, 28 Jun 2002 18:20:59 +0200 (CEST) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id BDFABA31DA; Fri, 28 Jun 2002 09:56:01 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 19507 invoked from network); 28 Jun 2002 11:37:38 -0000 Date: Fri, 28 Jun 2002 13:38:34 +0200 From: flynn@energyhq.homeip.net To: Domas Mituzas Cc: freebsd-security@freebsd.org, bugtraq@securityfocus.com, os_bsd@konferencijos.lt Subject: Re: Apache worm in the wild Message-ID: <20020628113834.GA10062@energyhq.homeip.net> References: <20020628125817.O68824-100000@axis.tdd.lt> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline In-Reply-To: <20020628125817.O68824-100000@axis.tdd.lt> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote: Hi, > our honeypot systems trapped new apache worm(+trojan) in the wild. It > traverses through the net, and installs itself on all vulnerable apaches > it finds. No source code available yet, but I put the binaries into public Wow, an interesting puppy. I just ran it through dasm to get the assembler dump. The executable is not even stripped, and makes an interesting read, as it gives lots of information. It looks like it was either coded by someone with little experience or in a hurry, and there are several system calls like this one: Possible reference to string: "/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;ki= llall -9 .a;/ tmp/.a %s;exit;" I wonder how many variants of this kind of thing we'll see, but I assume mo= st people=20 running Apache have upgraded already. Cheers, --=20 Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk Of course it runs NetBSD! --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (NetBSD) iD8DBQE9HEq6nLctrNyFFPERAjclAKDAHtXw/OPpNX7kpot1s7pJaRH/5gCdF2y9 sOLrvAxOCTBRDYYsM0tq8Cs= =EsOg -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message