Date: Fri, 28 Jun 2002 13:10:05 -0500 From: "wink" <wink@deceit.org> To: "Domas Mituzas" <domas.mituzas@microlink.lt>, <freebsd-security@freebsd.org> Cc: <bugtraq@securityfocus.com>, <os_bsd@konferencijos.lt> Subject: Re: Apache worm in the wild Message-ID: <016901c21ecf$0e506ad0$a101000a@Lust> References: <20020628125817.O68824-100000@axis.tdd.lt>
next in thread | previous in thread | raw e-mail | index | archive | help
Running strings on the binary amongst other things produces an ip address (12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also: FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them immutable as I didn't see any real error handling on failed i/o operations. Some other strings not mentioned yet are: rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s that's all i have time for at the moment. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?016901c21ecf$0e506ad0$a101000a>