From owner-freebsd-security Fri Jun 28 17:18: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04DDB37B405 for ; Fri, 28 Jun 2002 17:17:46 -0700 (PDT) Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF2A043E09 for ; Fri, 28 Jun 2002 17:17:44 -0700 (PDT) (envelope-from domas.mituzas@microlink.lt) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.6/8.11.6) with ESMTP id g5T0HZV92649; Sat, 29 Jun 2002 02:17:35 +0200 (EET) (envelope-from domas.mituzas@microlink.lt) X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Sat, 29 Jun 2002 02:17:35 +0200 (EET) From: Domas Mituzas X-X-Sender: midom@axis.tdd.lt To: Brett Glass Cc: Jonas M Luster , , Subject: Re: apache-worm.c In-Reply-To: <4.3.2.7.2.20020628180253.038e7af0@localhost> Message-ID: <20020629020911.Q91607-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Then, we can see, that the real worm is slightly modificated, but still, it's quite similiar, so we can say it's same origin. Anyway, not too much to fool about, we can obviously see some DDoS nature in it. But still, there may be more functionality. Also, after some investigation on normal boxes I saw this worm-like activity starting since Jun 25. Is it date of birth? Anyone seeing theese lines? [Fri Jun 28 21:31:51 2002] [error] [client 213.154.128.145] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / Regards, Domas Mituzas MicroLink Data midom@flock ~> make apache-worm 2>/dev/null cc -O -pipe -march=pentiumpro apache-worm.c -o apache-worm midom@flock ~> strings apache-worm | sort > a midom@flock ~> strings .a | sort > b --- b Sat Jun 29 02:11:44 2002 +++ a Sat Jun 29 02:11:54 2002 @@ -1,12 +1,18 @@ !"#&(+,-./0123456789=>?@ABCDPQ + / H +$FreeBSD: src/lib/csu/i386-elf/crti.S,v 1.6 2002/05/15 04:19:49 obrien Exp $ +$FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.5 2002/05/15 04:19:49 obrien Exp $ %c%s %d.%d.%d.%d %s [base 2] ... ,$s'1 +,[^_] +,[^_] ----DATA---- ----EMAILS---- ----FROM---- ----SUBJECT---- +-Enc .gov .hlp /bin @@ -21,11 +27,15 @@ /usr/libexec/ld-elf.so.1 12.127.17.71 127.0.0.1 -8$t -8/u -8/u -8/u -: u' +; u1 +;tiB +< v2 +<0.t +<[^_] +<[^_] +>F;u +>F;u +AAAA Accept-Charset: iso-8859-1,*,utf-8 Accept-Charset: iso-8859-1,*,utf-8 Accept-Encoding: gzip @@ -38,6 +48,8 @@ Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept: text/html, text/plain, text/sgml, */*;q=0.01 Apache +BBBB +CCCCf Cannot packet local networks Checksum for data failed Connection: Keep-Alive @@ -50,6 +62,7 @@ Dns flooding target Error communicating with website Error: %s +F;50 FreeBSD FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) @@ -63,63 +76,37 @@ Host: %s Host: %s:80 Host: %s:80 -Host: Unknown Insufficient memory Invalid IP Invalid instance or socket +L[^_] Location MAIL FROM:<%s> Message-ID: <%x.%x.%x@aol.com> Mime-Version: 1.0 Operation Success Operation pending -POST / HTTP/1.1 +POST PPPP PPPP PQP1 PQSP -Ph $ -Ph ' -Ph B -Ph B -Ph J -Ph J -Ph+) -Ph:( -Ph>( -PhA' -PhA' -PhD' -PhD' -PhG' -PhG' -PhG( -PhJ' -PhW( -PhW) -Ph`$ -Phg' Phn/shh//bi -Phw) -Pj-j Port is in use QUIT RCPT TO:<%s> Return-Path: <%c%c%c%c%c%c%c@aol.com> -Rh5( -Rh5( -Rh=) -RjFh` SPP1 Sending packets to target Server: Set-Cookie Size must be less than or equal to 9216 Subject: %s +TTP/ Tcp flooding target Timed out while receiving data To: %s -Transfer-Encoding: chunked +Tran UNKNOWN-CHECKSUM-SUCCESSFUL Udp flooding target Unable to bind socket @@ -135,9 +122,22 @@ User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) XXXXX /tmp/.uua << __eof__; select sendto +sfer signal -sleep -snprintf socket -sprintf srand strcasecmp strchr strcmp strcpy strdup -strlen -strncmp strtok -time +t: U tolower usleep vsnprintf @@ -225,3 +216,4 @@ waitpid webmaster@mydomain.com write +|[^_] On Fri, 28 Jun 2002, Brett Glass wrote: > At 05:58 PM 6/28/2002, Jonas M Luster wrote: > > >This seems to be a different source than the one, the binary was > >compiled from. The binary uses a lynx version string while this one > >uses User-Agent: Mozilla/4.75 [en] instead. > > Aha! Perhaps the worm's author was seeking to mislead Domas, and > others, about what it did and how. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message