Date: Fri, 28 Jun 2002 16:07:17 -0500 From: "Clemens, Dan" <Dan.Clemens@healthsouth.com> To: wink <wink@deceit.org>, Domas Mituzas <domas.mituzas@microlink.lt>, freebsd-security@freebsd.org Cc: bugtraq@securityfocus.com Subject: RE: Apache worm in the wild Message-ID: <414492630AD3F845BD87926E57A7BBE83B07F8@hs01ms11.healthsouth.insidehrc.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --------------InterScan_NT_MIME_Boundary Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C21EE7.C9196B28" ------_=_NextPart_001_01C21EE7.C9196B28 Content-Type: text/plain; charset="iso-8859-1" Just out of curiosity did this worm try to attack port 443 and 80 or just 80 ? Simply, Daniel Uriah Clemens HealthSouth Corp. 205.969.4781 877.806.8928 alert@us.healthsouth.com [Ebiz|System Administrator|Packet-Ninja] -----Original Message----- From: wink [mailto:wink@deceit.org] Sent: Friday, June 28, 2002 1:10 PM To: Domas Mituzas; freebsd-security@freebsd.org Cc: bugtraq@securityfocus.com; os_bsd@konferencijos.lt Subject: Re: Apache worm in the wild Running strings on the binary amongst other things produces an ip address (12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also: FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them immutable as I didn't see any real error handling on failed i/o operations. Some other strings not mentioned yet are: rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s that's all i have time for at the moment. Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. ------_=_NextPart_001_01C21EE7.C9196B28 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: Apache worm in the wild</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Just out of curiosity did this worm try to attack = port 443 and 80 or just 80 ?</FONT> </P> <BR> <P><FONT SIZE=3D2>Simply,</FONT> </P> <P><FONT SIZE=3D2>Daniel Uriah Clemens</FONT> <BR><FONT SIZE=3D2> HealthSouth Corp.</FONT> <BR><FONT SIZE=3D2> 205.969.4781</FONT> <BR><FONT SIZE=3D2> 877.806.8928</FONT> <BR><FONT SIZE=3D2> alert@us.healthsouth.com</FONT> <BR><FONT SIZE=3D2>[Ebiz|System Administrator|Packet-Ninja]</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: wink [<A = HREF=3D"mailto:wink@deceit.org">mailto:wink@deceit.org</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Friday, June 28, 2002 1:10 PM</FONT> <BR><FONT SIZE=3D2>To: Domas Mituzas; = freebsd-security@freebsd.org</FONT> <BR><FONT SIZE=3D2>Cc: bugtraq@securityfocus.com; = os_bsd@konferencijos.lt</FONT> <BR><FONT SIZE=3D2>Subject: Re: Apache worm in the wild</FONT> </P> <BR> <P><FONT SIZE=3D2>Running strings on the binary amongst other things = produces an ip address</FONT> <BR><FONT SIZE=3D2>(12.127.17.71) that resolves to = dns-rs1.bgtmo.ip.att.net, and also:</FONT> </P> <P><FONT SIZE=3D2>FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)</FONT> <BR><FONT SIZE=3D2>FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)</FONT> </P> <P><FONT SIZE=3D2>I went ahead and touch'ed .a, .uua, and .log in /tmp = and chflags to set them</FONT> <BR><FONT SIZE=3D2>immutable as I didn't see any real error handling on = failed i/o operations.</FONT> <BR><FONT SIZE=3D2>Some other strings not mentioned yet are:</FONT> </P> <P><FONT SIZE=3D2>rm -rf /tmp/.a;cat > /tmp/.uua << = __eof__;</FONT> <BR><FONT SIZE=3D2>mv /tmp/tmp /tmp/init;export = PATH=3D"/tmp";init %s</FONT> </P> <P><FONT SIZE=3D2>that's all i have time for at the moment.</FONT> <BR><FONT SIZE=3D2>Confidentiality Notice: This e-mail = communication and any attachments may contain confidential and = privileged information for the use of the designated recipients named = above. If you are not the intended recipient, you are hereby = notified that you have received this communication in error and = that any review, disclosure, dissemination, distribution or copying of = it or its contents is prohibited. If you have received this = communication in error, please notify me immediately by replying to = this message and deleting it from your computer. Thank = you.</FONT></P> </BODY> </HTML> ------_=_NextPart_001_01C21EE7.C9196B28-- --------------InterScan_NT_MIME_Boundary-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414492630AD3F845BD87926E57A7BBE83B07F8>