From owner-freebsd-security Sun Jun 23 6:23:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id C3CB337B403 for ; Sun, 23 Jun 2002 06:23:09 -0700 (PDT) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with SMTP id 4211F1E3D; Sun, 23 Jun 2002 13:23:07 +0000 (GMT) Date: Sun, 23 Jun 2002 15:23:21 +0200 From: Krzysztof Zaraska To: "jps@funeralexchange.com" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache FreeBSD exploit released Message-Id: <20020623152321.17da5967.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> X-Mailer: Sylpheed version 0.7.3 (GTK+ 1.2.10; i386-redhat-linux) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 22 Jun 2002 17:48:08 -0500 (CDT) "jps@funeralexchange.com" wrote: > The only way to trace the attacker i have found so far is to do a > netstat during the attack and you will see the requests coming in on the > requested port (80 by default). > Anyone know of any ports or tools i could use on my servers to watch out > for something like this?. A network IDS capable of detecting the attack will show you where it comes from. If you happen to run some sort of NIDS: - snort rules for the attack are available from http://www.snort.org/article.html?id=108 . They are based on detecting "Transfer-Encoding: chunked" header, so make sure they will not trigger when your server _sends_ this header (that means you should have $EXTERNAL_NET and $HTTP_SERVERS set correctly). The exploit is based on using this encoding scheme in HTTP request send _to_ the server, what is normally not used. The rule is relatively simple, so there should be no problem with writing it in any other format. - NIDS with (polymorphic) shellcode detection should detect it. I have tested that with shellcode detector in Prelude yesterday, it was detecting the attack. I guess other IDS products having similar capabilities should work fine as well, but I wasn't able to test. Despite of detection method I was getting a flood of alerts when firing the exploit, so it should be hard to miss. -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message