RE: Apache worm in the wild

From owner-freebsd-security Fri Jun 28 14: 8:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1072F37B4A4 for ; Fri, 28 Jun 2002 14:08:24 -0700 (PDT) Received: from smtp1.healthsouth.com (egress-a.healthsouth.com [12.105.215.2]) by mx1.FreeBSD.org (Postfix) with SMTP id 3F23F43E09 for ; Fri, 28 Jun 2002 14:08:22 -0700 (PDT) (envelope-from Dan.Clemens@healthsouth.com) Received: from 10.1.1.145 by smtp1.healthsouth.com (InterScan E-Mail VirusWall NT); Fri, 28 Jun 2002 16:09:47 -0500 Received: by hs01ms01.healthsouth.insidehrc.com with Internet Mail Service (5.5.2655.55) id ; Fri, 28 Jun 2002 16:07:21 -0500 Message-ID: <414492630AD3F845BD87926E57A7BBE83B07F8@hs01ms11.healthsouth.insidehrc.com> From: "Clemens, Dan" To: wink , Domas Mituzas , freebsd-security@freebsd.org Cc: bugtraq@securityfocus.com Subject: RE: Apache worm in the wild Date: Fri, 28 Jun 2002 16:07:17 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-Type: multipart/mixed; boundary="------------InterScan_NT_MIME_Boundary" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --------------InterScan_NT_MIME_Boundary Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C21EE7.C9196B28" ------_=_NextPart_001_01C21EE7.C9196B28 Content-Type: text/plain; charset="iso-8859-1" Just out of curiosity did this worm try to attack port 443 and 80 or just 80 ? Simply, Daniel Uriah Clemens HealthSouth Corp. 205.969.4781 877.806.8928 alert@us.healthsouth.com [Ebiz|System Administrator|Packet-Ninja] -----Original Message----- From: wink [mailto:wink@deceit.org] Sent: Friday, June 28, 2002 1:10 PM To: Domas Mituzas; freebsd-security@freebsd.org Cc: bugtraq@securityfocus.com; os_bsd@konferencijos.lt Subject: Re: Apache worm in the wild Running strings on the binary amongst other things produces an ip address (12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also: FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them immutable as I didn't see any real error handling on failed i/o operations. Some other strings not mentioned yet are: rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s that's all i have time for at the moment. Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. ------_=_NextPart_001_01C21EE7.C9196B28 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: Apache worm in the wild

Just out of curiosity did this worm try to attack = port 443 and 80 or just 80 ?

Simply,

Daniel Uriah Clemens
HealthSouth Corp.
205.969.4781
877.806.8928
alert@us.healthsouth.com
[Ebiz|System Administrator|Packet-Ninja]

-----Original Message-----
From: wink [mailto:wink@deceit.org]
Sent: Friday, June 28, 2002 1:10 PM
To: Domas Mituzas; = freebsd-security@freebsd.org
Cc: bugtraq@securityfocus.com; = os_bsd@konferencijos.lt
Subject: Re: Apache worm in the wild

Running strings on the binary amongst other things = produces an ip address
(12.127.17.71) that resolves to = dns-rs1.bgtmo.ip.att.net, and also:

FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)

I went ahead and touch'ed .a, .uua, and .log in /tmp = and chflags to set them
immutable as I didn't see any real error handling on = failed i/o operations.
Some other strings not mentioned yet are:

rm -rf /tmp/.a;cat > /tmp/.uua << = __eof__;
mv /tmp/tmp /tmp/init;export = PATH=3D"/tmp";init %s

that's all i have time for at the moment.
Confidentiality Notice: This e-mail = communication and any attachments may contain confidential and = privileged information for the use of the designated recipients named = above. If you are not the intended recipient, you are hereby = notified that you have received this communication in error and = that any review, disclosure, dissemination, distribution or copying of = it or its contents is prohibited. If you have received this = communication in error, please notify me immediately by replying to = this message and deleting it from your computer. Thank = you.

------_=_NextPart_001_01C21EE7.C9196B28-- --------------InterScan_NT_MIME_Boundary-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message