Date: Sun, 7 Jul 2002 23:27:07 +0200 (CEST) From: Thorsten Schroeder <ths@katjusha.de> To: freebsd-security@FreeBSD.ORG Subject: fbsd Apache Worm / ddos Message-ID: <Pine.BSF.4.44.0207072323320.18306-100000@ths.so36.NET>
next in thread | raw e-mail | index | archive | help
Hi, we have had a "nice" dos. today three of our apache webserver were compromised using the vulnerability found in the chucked encoding implementation of the Apache 1.3.24 and 2.0.36 and below servers. See CERT Advisory CA-2002-17 on http://www.cert.org I noticed an increasing traffic until no bandwidth was available. i tried to reconstruct/analyse this but it's totally unclear, why this degenerates in a (distributed?) denial of service against one of our (compromised) servers. please read http://dammit.lt/apache-worm/apache-worm.c and http://www.freebsd.org/cgi/getmsg.cgi?fetch=34552+54852+/usr/local/www/db/text/2 002/freebsd-security/20020707.freebsd-security for a worm analysis. The compromised system is a 4.5-STABLE FreeBSD 4.5-STABLE #0 running apache 1.3.22 (vulnarable). The apache logfiles shows: [Sun Jul 7 13:47:19 2002] [error] [client 66.146.1.28] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / dmesg output as appears in /var/log/messages: Jul 7 13:47:25 foobar /kernel: pid 22639 (httpd), uid 80: exited on signal 11 on another apache server (also compromised) i have found the following output in /var/log/messages: Jul 7 05:58:27 foobar /kernel: pid 25863 (.a), uid 65534: exited on signal 10 in the /tmp directories is the binary of the worm and it's uuencoded binary: -rwxr-xr-x 1 nobody wheel 51594 Jul 7 13:47 .a -rw-r--r-- 1 nobody wheel 71105 Jul 7 13:47 .uua As described in David Endlers "Apache Worm Analysis" the exploit to something like /usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/tmp/.a %s;exit; What i don't understand is the udp-flood after the explotation. Thousands of different (spoofed) ip-adresses as source for upd-packets from port 2001 to the compromised system port 2001. I captured some an they looks like that: 16:18:14.616723 213.131.0.14.2001 > 212.xx.xxx.xx.2001: udp 40 [tos 0x20] 4520 0044 adfc 0000 2e11 3f98 d583 000e d454 f50e 07d1 07d1 0030 e7f5 2600 0000 893a f36d 2800 0000 aea5 76b2 0500 0000 0000 0000 7400 0000 0000 0000 0000 0000 0000 0000 16:18:14.619078 209.81.10.51.2001 > 212.xx.xxx.xx.2001: udp 44 4500 0048 77c7 0000 2a11 73f6 d151 0a33 d454 f50e 07d1 07d1 0034 22fc 2600 0000 ea36 e44d 2c00 0000 f9cd bf8a 0500 0000 0000 0000 7100 0000 0000 0000 0400 0000 0000 0000 d30f 0112 16:18:14.620712 210.224.161.37.2001 > 212.xx.xxx.xx.2001: udp 40 4500 0044 00e9 0000 2611 5657 d2e0 a125 d454 f50e 07d1 07d1 0030 19c6 2600 0000 b44f 0566 2800 0000 e9e5 2e20 0500 0000 0000 0000 7400 0000 0000 0000 0000 0000 0000 0000 16:18:14.622291 211.167.73.219.2001 > 212.xx.xxx.xx.2001: udp 44 4500 0048 ff8e 0000 2611 ae30 d3a7 49db d454 f50e 07d1 07d1 0034 47d6 2600 0000 e846 4748 2c00 0000 4168 1e56 0500 0000 0000 0000 7100 0000 0000 0000 0400 0000 0000 0000 42d8 2301 16:18:14.623932 217.151.0.38.2001 > 212.xx.xxx.xx.2001: udp 44 4500 0048 1611 0000 3611 cb73 d997 0026 d454 f50e 07d1 07d1 0034 5d0b 2600 0000 61fa bb4a 2c00 0000 5eca 47e2 0500 0000 0000 0000 7100 0000 0000 0000 0400 0000 0000 0000 4373 1c52 16:18:14.625493 209.251.2.5.2001 > 212.xx.xxx.xx.2001: udp 40 4500 0044 038d 0000 3011 e9b8 d1fb 0205 d454 f50e 07d1 07d1 0030 e1ab 2600 0000 df1c b03c 2800 0000 96ea 8397 0500 0000 0000 0000 7400 0000 0000 0000 0000 0000 0000 0000 notice: there was so many udp-packets coming in, eating all of the bandwidth. many ppl talking about a "sloppy fashion" the worm was coded, and that it is quite "harmless" because "it causes no damage"... What about the udp flood? Can anyone explain that? The flooding hold on 3 hours until the routes to the ipaddresses were dropped. This is just FYI ... and if anyone have a clue about the flood... please contact me or discuss this on that list. Thanks & regards, Thorsten Schroeder To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.44.0207072323320.18306-100000>