From owner-freebsd-security Fri Jun 28 11:10:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 270C337B400 for ; Fri, 28 Jun 2002 11:10:33 -0700 (PDT) Received: from deceit.org (pcp01535709pcs.huntsv01.al.comcast.net [68.62.184.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2007D43E06 for ; Fri, 28 Jun 2002 11:10:32 -0700 (PDT) (envelope-from wink@deceit.org) Received: from Lust ([12.13.161.84]) by deceit.org (8.9.3/8.9.3) with SMTP id LAA16252; Fri, 28 Jun 2002 11:31:36 -0500 (CDT) (envelope-from wink@deceit.org) Message-ID: <016901c21ecf$0e506ad0$a101000a@Lust> From: "wink" To: "Domas Mituzas" , Cc: , References: <20020628125817.O68824-100000@axis.tdd.lt> Subject: Re: Apache worm in the wild Date: Fri, 28 Jun 2002 13:10:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Running strings on the binary amongst other things produces an ip address (12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also: FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them immutable as I didn't see any real error handling on failed i/o operations. Some other strings not mentioned yet are: rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s that's all i have time for at the moment. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message