Date: Sun, 23 Jun 2002 15:23:21 +0200 From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: "jps@funeralexchange.com" <jps@funeralexchange.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache FreeBSD exploit released Message-ID: <20020623152321.17da5967.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 22 Jun 2002 17:48:08 -0500 (CDT) "jps@funeralexchange.com" <jps@funeralexchange.com> wrote: > The only way to trace the attacker i have found so far is to do a > netstat during the attack and you will see the requests coming in on the > requested port (80 by default). > Anyone know of any ports or tools i could use on my servers to watch out > for something like this?. A network IDS capable of detecting the attack will show you where it comes from. If you happen to run some sort of NIDS: - snort rules for the attack are available from http://www.snort.org/article.html?id=108 . They are based on detecting "Transfer-Encoding: chunked" header, so make sure they will not trigger when your server _sends_ this header (that means you should have $EXTERNAL_NET and $HTTP_SERVERS set correctly). The exploit is based on using this encoding scheme in HTTP request send _to_ the server, what is normally not used. The rule is relatively simple, so there should be no problem with writing it in any other format. - NIDS with (polymorphic) shellcode detection should detect it. I have tested that with shellcode detector in Prelude yesterday, it was detecting the attack. I guess other IDS products having similar capabilities should work fine as well, but I wasn't able to test. Despite of detection method I was getting a flood of alerts when firing the exploit, so it should be hard to miss. -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020623152321.17da5967.kzaraska>