From owner-freebsd-security  Fri Jun 28 13:25:49 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 72B4937B400
	for <freebsd-security@freebsd.org>; Fri, 28 Jun 2002 13:25:44 -0700 (PDT)
Received: from neptun.twoj.pl (neptun.goo.pl [80.48.39.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C3B0D43E06
	for <freebsd-security@freebsd.org>; Fri, 28 Jun 2002 13:25:43 -0700 (PDT)
	(envelope-from bugtraq-return-5400-cinek=goo.pl@securityfocus.com)
Received: by neptun.twoj.pl (Postfix, from userid 107)
	id C5D293ABD3; Fri, 28 Jun 2002 22:25:41 +0200 (CEST)
Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27])
	by neptun.twoj.pl (Postfix) with ESMTP id 03E763ABAD
	for <cinek@goo.pl>; Fri, 28 Jun 2002 22:25:41 +0200 (CEST)
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id 5F712A35CD; Fri, 28 Jun 2002 12:34:55 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 1848 invoked from network); 28 Jun 2002 18:09:59 -0000
Message-ID: <016901c21ecf$0e506ad0$a101000a@Lust>
From: "wink" <wink@deceit.org>
To: "Domas Mituzas" <domas.mituzas@microlink.lt>,
	<freebsd-security@freebsd.org>
Cc: <bugtraq@securityfocus.com>, <os_bsd@konferencijos.lt>
References: <20020628125817.O68824-100000@axis.tdd.lt>
Subject: Re: Apache worm in the wild
Date: Fri, 28 Jun 2002 13:10:05 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Running strings on the binary amongst other things produces an ip address
(12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also:

FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)

I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them
immutable as I didn't see any real error handling on failed i/o operations.
Some other strings not mentioned yet are:

rm -rf /tmp/.a;cat > /tmp/.uua << __eof__;
mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s

that's all i have time for at the moment.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message