Date: Fri, 28 Jun 2002 14:42:02 -0400 From: "Rothe, Greg (G.A.)" <grothe@ford.com> To: "'flynn@energyhq.homeip.net'" <flynn@energyhq.homeip.net>, Domas Mituzas <domas.mituzas@microlink.lt> Cc: freebsd-security@freebsd.org, bugtraq@securityfocus.com, os_bsd@konferencijos.lt Subject: RE: Apache worm in the wild Message-ID: <200206281842.g5SIgOT05495@dymwsm09.mailwatch.com>
next in thread | raw e-mail | index | archive | help
Sorry, I'm confused. Which versions of apache qualify as "vulnerable?"
-Greg
-----Original Message-----
From: flynn@energyhq.homeip.net [mailto:flynn@energyhq.homeip.net]
Sent: Friday, June 28, 2002 7:39 AM
To: Domas Mituzas
Cc: freebsd-security@freebsd.org; bugtraq@securityfocus.com; os_bsd@konferencijos.lt
Subject: Re: Apache worm in the wild
On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote:
Hi,
> our honeypot systems trapped new apache worm(+trojan) in the wild. It
> traverses through the net, and installs itself on all vulnerable
> apaches it finds. No source code available yet, but I put the binaries
> into public
Wow, an interesting puppy. I just ran it through dasm to get the assembler dump. The executable is not even stripped, and makes an interesting read, as it gives lots of information. It looks like it was either coded by someone with little experience or in a hurry, and there are several system calls like this one:
Possible reference to string:
"/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/ tmp/.a %s;exit;"
I wonder how many variants of this kind of thing we'll see, but I assume most people
running Apache have upgraded already.
Cheers,
--
Miguel Mendez - flynn@energyhq.homeip.net
GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt
EnergyHQ :: http://www.energyhq.tk
Of course it runs NetBSD!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206281842.g5SIgOT05495>