Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 29 Jun 2002 13:21:08 -0400
From:      "charles woolverton" <charles.woolverton@tastik.net>
To:        <freebsd-doc@FreeBSD.ORG>
Subject:   NEW FBSD Virus - Effects Apache Server Chunk encoding - ALERT
Message-ID:  <000801c21f91$5bdcc830$050da8c0@hustla>

next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.

------=_NextPart_000_0005_01C21F6F.D47D2F40
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Team FBSD


I did not see an advisory on your site, but as of June 16, 2002, there =
was an "Apache HTTP Server chunk encoding stack overflow" discovered.  I =
have not been able to find this on Apache's website either.  However, =
there has been sevreal reports to securityfocus.org about Apache chunk =
encoding issues.

It appears that a new Worm has been identified by the Symantec staff =
that targets FreeBSD systems via this Apache exploitable issue.

Please see: Symantec's 'FreeBSD.Scalper.Worm' advisory - 06/28/2002
http://securityresponse.symantec.com/avcenter/security/Content/2049.html

Please see: Symantec's Apache HTTP Server chunk encoding stack overfow =
advisory 06/17/2002
http://securityresponse.symantec.com/avcenter/security/Content/2049.html

Please see: Securityfocus advisories- 06/17/2002 - 06/28/2002
    CA-2002-17
http://online.securityfocus.com/advisories/4210
    20020605-01-A
http://online.securityfocus.com/advisories/4212
    CLA-2002:498
http://online.securityfocus.com/advisories/4226
    apache-worm.c - Supposedly the source code is available here
http://online.securityfocus.com/archive/1/279633/2002-06-26/2002-07-02/0
    Apache worm in the wild post
http://online.securityfocus.com/archive/1/279529/2002-06-26/2002-07-02/0
    CAN-2002-0392 - Apache Chunked-Encoding Corruption Vulnerability
http://online.securityfocus.com/bid/5033
    Apache goes berserk - May be related (What you may receive if being =
attacked)
http://online.securityfocus.com/archive/75/279373

I don't know if you put many security alerts on your site, however I'd =
ask that you do place this one on.  At my company we have been =
encouraging our larger Managed Hosting customers to use FreeBSD.  =
However, being that most people that are / may be familiar with any nix =
flavor don't use Symantec's website, and it's sad to say "Don't keep up =
with security alerts", I would suggest putting something on the =
frontpage of FreeBSD.org.  Especially after what happened many times =
before with Windows and Nimda/varients.


Thank you,

Charles Woolverton
Tastik.net
charles.woolverton@tasik.net

------=_NextPart_000_0005_01C21F6F.D47D2F40
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Team FBSD</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I did not see an advisory on your site, =
but as of=20
June 16, 2002, there was an "Apache HTTP Server chunk encoding stack =
overflow"=20
discovered.&nbsp; I have not been able to find this on Apache's website=20
either.&nbsp; However, there has been sevreal reports to =
securityfocus.org about=20
Apache chunk encoding issues.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>It appears that a new Worm has been =
identified by=20
the&nbsp;Symantec staff that targets FreeBSD systems via =
this&nbsp;Apache=20
exploitable issue.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><STRONG>Please see: Symantec's=20
'FreeBSD.Scalper.Worm' advisory - 06/28/2002</STRONG></FONT></DIV>
<DIV><A=20
href=3D"http://securityresponse.symantec.com/avcenter/security/Content/20=
49.html">http://securityresponse.symantec.com/avcenter/security/Content/2=
049.html</A><BR></DIV>
<DIV><FONT face=3DArial size=3D2><STRONG>Please see: Symantec's Apache =
HTTP Server=20
chunk encoding stack overfow advisory 06/17/2002</STRONG></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://securityresponse.symantec.com/avcenter/security/Content/20=
49.html">http://securityresponse.symantec.com/avcenter/security/Content/2=
049.html</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><STRONG>Please see: Securityfocus =
a<SPAN=20
class=3Dbodytext><FONT face=3D"Times New Roman" size=3D3>dvisories- =
06/17/2002 -=20
06/28/2002</FONT></SPAN></STRONG></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3Dbodytext>&nbsp;&nbsp;&nbsp;=20
CA-2002-17</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><A=20
href=3D"http://online.securityfocus.com/advisories/4210">http://online.se=
curityfocus.com/advisories/4210</A></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3Dbodytext>&nbsp;&nbsp;&nbsp;=20
20020605-01-A</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><A=20
href=3D"http://online.securityfocus.com/advisories/4212">http://online.se=
curityfocus.com/advisories/4212</A></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3Dbodytext>&nbsp;&nbsp;&nbsp;=20
CLA-2002:498</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><A=20
href=3D"http://online.securityfocus.com/advisories/4226">http://online.se=
curityfocus.com/advisories/4226</A></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3Dbodytext>&nbsp;&nbsp;&nbsp;=20
apache-worm.c - Supposedly the source code is available =
here</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><A=20
href=3D"http://online.securityfocus.com/archive/1/279633/2002-06-26/2002-=
07-02/0">http://online.securityfocus.com/archive/1/279633/2002-06-26/2002=
-07-02/0</A></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN=20
class=3Dbodytext>&nbsp;&nbsp;&nbsp; Apache worm in the wild=20
post</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><A=20
href=3D"http://online.securityfocus.com/archive/1/279529/2002-06-26/2002-=
07-02/0">http://online.securityfocus.com/archive/1/279529/2002-06-26/2002=
-07-02/0</A></SPAN></SPAN></FONT></DIV>
<DIV><FONT><SPAN class=3Dbodytext><SPAN class=3Dbodytext><FONT =
size=3D2><FONT=20
face=3DArial>&nbsp;&nbsp;&nbsp; <SPAN class=3Dbodytext>CAN-2002-0392 -=20
</SPAN></FONT></FONT></SPAN></SPAN></FONT><FONT face=3DArial =
size=3D2><SPAN=20
class=3Dbodytext><SPAN class=3Dbodytext><SPAN class=3Dbodytext>Apache =
Chunked-Encoding=20
Corruption Vulnerability</SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext><A=20
href=3D"http://online.securityfocus.com/bid/5033">http://online.securityf=
ocus.com/bid/5033</A></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext>&nbsp;&nbsp;&nbsp; Apache goes berserk - May be related =
(What you=20
may receive if being attacked)</SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext><A=20
href=3D"http://online.securityfocus.com/archive/75/279373">http://online.=
securityfocus.com/archive/75/279373</A></SPAN></SPAN></SPAN></FONT></DIV>=

<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext></SPAN></SPAN></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext>I don't know if you put many security alerts on your =
site,=20
however I'd ask that you do place this one on.&nbsp; At my company we =
have been=20
encouraging our larger Managed Hosting customers to use FreeBSD.&nbsp; =
However,=20
being that most people that are / may be familiar with any nix flavor =
don't use=20
Symantec's website, and it's sad to say "Don't keep up with security =
alerts", I=20
would suggest putting something on the frontpage of FreeBSD.org.&nbsp;=20
Especially after what happened many times before with Windows and=20
Nimda/varients.</SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext></SPAN></SPAN></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext></SPAN></SPAN></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext>Thank you,</SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext></SPAN></SPAN></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext>Charles Woolverton</SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext>Tastik.net</SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN =
class=3Dbodytext><SPAN=20
class=3Dbodytext><A=20
href=3D"mailto:charles.woolverton@tasik.net">charles.woolverton@tasik.net=
</A></SPAN></SPAN></SPAN></FONT></DIV></BODY></HTML>

------=_NextPart_000_0005_01C21F6F.D47D2F40--



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c21f91$5bdcc830$050da8c0>