From owner-freebsd-security Fri Jun 28 11:44:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E60CB37B412 for ; Fri, 28 Jun 2002 11:44:02 -0700 (PDT) Received: from dymwsm18.mailwatch.com (dymwsm18.mailwatch.com [204.253.83.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14A8943E1A for ; Fri, 28 Jun 2002 11:42:26 -0700 (PDT) (envelope-from grothe@ford.com) Received: from MWSC0209.MW4.MAILWATCH.COM (mwsc0209.mw4.mailwatch.com [204.253.83.227]) by dymwsm18.mailwatch.com (8.11.0/8.11.0) with ESMTP id g5SIgOL14825 for ; Fri, 28 Jun 2002 14:42:24 -0400 Received: from mail pickup service by MWSC0209.MW4.MAILWATCH.COM with Microsoft SMTPSVC; Fri, 28 Jun 2002 14:42:24 -0400 Received: from 204.253.83.71 ([204.253.83.71]) by MWSC0209 with SMTP id 000200090bfbdfba-5859-4e9b-86fe-287134847c5e; Fri, 28 Jun 2002 14:42:24 -0500 Received: from eccmfw6.ford.com (mailfw6.ford.com [136.1.1.30]) by dymwsm09.mailwatch.com (8.11.0/8.11.0) with ESMTP id g5SIgOT05495 for ; Fri, 28 Jun 2002 14:42:24 -0400 Message-Id: <200206281842.g5SIgOT05495@dymwsm09.mailwatch.com> Received: by mailfw6.ford.com id OAA28785 (InterLock SMTP Gateway 4.2 for freebsd-security@freebsd.org); Fri, 28 Jun 2002 14:41:16 -0400 (EDT) Received: by mailfw6.ford.com (Internal Mail Agent-1); Fri, 28 Jun 2002 14:41:16 -0400 (EDT) Received: by mailfw6.ford.com (Internal Mail Agent-0); Fri, 28 Jun 2002 14:41:16 -0400 (EDT) From: "Rothe, Greg (G.A.)" To: "'flynn@energyhq.homeip.net'" , Domas Mituzas Cc: freebsd-security@freebsd.org, bugtraq@securityfocus.com, os_bsd@konferencijos.lt Subject: RE: Apache worm in the wild Date: Fri, 28 Jun 2002 14:42:02 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.15) Content-Type: text/plain HOP-COUNT: 1 X-MAILWATCH-INSTANCEID: 010200090bfbdfba-5859-4e9b-86fe-287134847c5e X-OriginalArrivalTime: 28 Jun 2002 18:42:24.0417 (UTC) FILETIME=[8B528910:01C21ED3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry, I'm confused. Which versions of apache qualify as "vulnerable?" -Greg -----Original Message----- From: flynn@energyhq.homeip.net [mailto:flynn@energyhq.homeip.net] Sent: Friday, June 28, 2002 7:39 AM To: Domas Mituzas Cc: freebsd-security@freebsd.org; bugtraq@securityfocus.com; os_bsd@konferencijos.lt Subject: Re: Apache worm in the wild On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote: Hi, > our honeypot systems trapped new apache worm(+trojan) in the wild. It > traverses through the net, and installs itself on all vulnerable > apaches it finds. No source code available yet, but I put the binaries > into public Wow, an interesting puppy. I just ran it through dasm to get the assembler dump. The executable is not even stripped, and makes an interesting read, as it gives lots of information. It looks like it was either coded by someone with little experience or in a hurry, and there are several system calls like this one: Possible reference to string: "/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/ tmp/.a %s;exit;" I wonder how many variants of this kind of thing we'll see, but I assume most people running Apache have upgraded already. Cheers, -- Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk Of course it runs NetBSD! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message