From owner-freebsd-questions  Mon Jul  1 10:46:31 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7D4CF37B401
	for <questions@FreeBSD.ORG>; Mon,  1 Jul 2002 10:46:29 -0700 (PDT)
Received: from web13307.mail.yahoo.com (web13307.mail.yahoo.com [216.136.175.43])
	by mx1.FreeBSD.org (Postfix) with SMTP id 34DA543E0A
	for <questions@FreeBSD.ORG>; Mon,  1 Jul 2002 10:46:29 -0700 (PDT)
	(envelope-from sumirati@yahoo.de)
Message-ID: <20020701174629.56209.qmail@web13307.mail.yahoo.com>
Received: from [193.174.9.34] by web13307.mail.yahoo.com via HTTP; Mon, 01 Jul 2002 19:46:29 CEST
Date: Mon, 1 Jul 2002 19:46:29 +0200 (CEST)
From: =?iso-8859-1?q?m=20p?= <sumirati@yahoo.de>
Subject: RE: Apache Worm Comments???
To: bjm1287@ritvax.isc.rit.edu
Cc: questions@FreeBSD.ORG
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

> Does anyone know how you can tell if you have the worm or not?  Also,
> will simply uninstalling and re-installing Apache clean the worm?  I
> assume it would...but I'm curious what others think.
> 
> --Brian

Hi Brian,

please take a look at the mailinglist archives for bugtraq (at
http://www.securityfocus.com) and the freebsd-securtiy mailinglist archives. 
There you will find a binary (Version 1 of the worm it seems) and the source
(for Version 2.0 it seems). The source seems to be a bit more advanced.
The discussion of the source and the binary lasted the whole weekend.

No, uninstalling and re-installing will _not_ clean the worm. From what the
people looking at the binary and the source said, the worm will put itself in
/tmp/.a - that is hard-coded in the source. So check there and delete 

For all worms/trojans/root-kits/virii there is the old sentence: IF someone had
root access to your machine - DON'T trust ANY binary. Backup your data, install
a fresh, new version of your OS, apply the security patches and restore your
configuration and data. That is the only way (if you not have something like
tripwire running in an environment where YOU absolutely trust it - I don't).

Hope that clarify the issue a little bit.

Marc


__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Yahoo! präsentiert als offizieller Sponsor das Fußball-Highlight des
Jahres: - http://www.FIFAworldcup.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message