Date: Sat, 29 Jun 2002 13:21:08 -0400 From: "charles woolverton" <charles.woolverton@tastik.net> To: <freebsd-doc@FreeBSD.ORG> Subject: NEW FBSD Virus - Effects Apache Server Chunk encoding - ALERT Message-ID: <000801c21f91$5bdcc830$050da8c0@hustla>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C21F6F.D47D2F40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Team FBSD I did not see an advisory on your site, but as of June 16, 2002, there = was an "Apache HTTP Server chunk encoding stack overflow" discovered. I = have not been able to find this on Apache's website either. However, = there has been sevreal reports to securityfocus.org about Apache chunk = encoding issues. It appears that a new Worm has been identified by the Symantec staff = that targets FreeBSD systems via this Apache exploitable issue. Please see: Symantec's 'FreeBSD.Scalper.Worm' advisory - 06/28/2002 http://securityresponse.symantec.com/avcenter/security/Content/2049.html Please see: Symantec's Apache HTTP Server chunk encoding stack overfow = advisory 06/17/2002 http://securityresponse.symantec.com/avcenter/security/Content/2049.html Please see: Securityfocus advisories- 06/17/2002 - 06/28/2002 CA-2002-17 http://online.securityfocus.com/advisories/4210 20020605-01-A http://online.securityfocus.com/advisories/4212 CLA-2002:498 http://online.securityfocus.com/advisories/4226 apache-worm.c - Supposedly the source code is available here http://online.securityfocus.com/archive/1/279633/2002-06-26/2002-07-02/0 Apache worm in the wild post http://online.securityfocus.com/archive/1/279529/2002-06-26/2002-07-02/0 CAN-2002-0392 - Apache Chunked-Encoding Corruption Vulnerability http://online.securityfocus.com/bid/5033 Apache goes berserk - May be related (What you may receive if being = attacked) http://online.securityfocus.com/archive/75/279373 I don't know if you put many security alerts on your site, however I'd = ask that you do place this one on. At my company we have been = encouraging our larger Managed Hosting customers to use FreeBSD. = However, being that most people that are / may be familiar with any nix = flavor don't use Symantec's website, and it's sad to say "Don't keep up = with security alerts", I would suggest putting something on the = frontpage of FreeBSD.org. Especially after what happened many times = before with Windows and Nimda/varients. Thank you, Charles Woolverton Tastik.net charles.woolverton@tasik.net ------=_NextPart_000_0005_01C21F6F.D47D2F40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Team FBSD</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I did not see an advisory on your site, = but as of=20 June 16, 2002, there was an "Apache HTTP Server chunk encoding stack = overflow"=20 discovered. I have not been able to find this on Apache's website=20 either. However, there has been sevreal reports to = securityfocus.org about=20 Apache chunk encoding issues.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>It appears that a new Worm has been = identified by=20 the Symantec staff that targets FreeBSD systems via = this Apache=20 exploitable issue.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><STRONG>Please see: Symantec's=20 'FreeBSD.Scalper.Worm' advisory - 06/28/2002</STRONG></FONT></DIV> <DIV><A=20 href=3D"http://securityresponse.symantec.com/avcenter/security/Content/20= 49.html">http://securityresponse.symantec.com/avcenter/security/Content/2= 049.html</A><BR></DIV> <DIV><FONT face=3DArial size=3D2><STRONG>Please see: Symantec's Apache = HTTP Server=20 chunk encoding stack overfow advisory 06/17/2002</STRONG></FONT></DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://securityresponse.symantec.com/avcenter/security/Content/20= 49.html">http://securityresponse.symantec.com/avcenter/security/Content/2= 049.html</A></FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><STRONG>Please see: Securityfocus = a<SPAN=20 class=3Dbodytext><FONT face=3D"Times New Roman" size=3D3>dvisories- = 06/17/2002 -=20 06/28/2002</FONT></SPAN></STRONG></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN = class=3Dbodytext> =20 CA-2002-17</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><A=20 href=3D"http://online.securityfocus.com/advisories/4210">http://online.se= curityfocus.com/advisories/4210</A></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN = class=3Dbodytext> =20 20020605-01-A</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><A=20 href=3D"http://online.securityfocus.com/advisories/4212">http://online.se= curityfocus.com/advisories/4212</A></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN = class=3Dbodytext> =20 CLA-2002:498</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><A=20 href=3D"http://online.securityfocus.com/advisories/4226">http://online.se= curityfocus.com/advisories/4226</A></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN = class=3Dbodytext> =20 apache-worm.c - Supposedly the source code is available = here</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><A=20 href=3D"http://online.securityfocus.com/archive/1/279633/2002-06-26/2002-= 07-02/0">http://online.securityfocus.com/archive/1/279633/2002-06-26/2002= -07-02/0</A></SPAN></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN=20 class=3Dbodytext> Apache worm in the wild=20 post</SPAN></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><A=20 href=3D"http://online.securityfocus.com/archive/1/279529/2002-06-26/2002-= 07-02/0">http://online.securityfocus.com/archive/1/279529/2002-06-26/2002= -07-02/0</A></SPAN></SPAN></FONT></DIV> <DIV><FONT><SPAN class=3Dbodytext><SPAN class=3Dbodytext><FONT = size=3D2><FONT=20 face=3DArial> <SPAN class=3Dbodytext>CAN-2002-0392 -=20 </SPAN></FONT></FONT></SPAN></SPAN></FONT><FONT face=3DArial = size=3D2><SPAN=20 class=3Dbodytext><SPAN class=3Dbodytext><SPAN class=3Dbodytext>Apache = Chunked-Encoding=20 Corruption Vulnerability</SPAN></SPAN></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext><A=20 href=3D"http://online.securityfocus.com/bid/5033">http://online.securityf= ocus.com/bid/5033</A></SPAN></SPAN></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext> Apache goes berserk - May be related = (What you=20 may receive if being attacked)</SPAN></SPAN></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext><A=20 href=3D"http://online.securityfocus.com/archive/75/279373">http://online.= securityfocus.com/archive/75/279373</A></SPAN></SPAN></SPAN></FONT></DIV>= <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext></SPAN></SPAN></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext>I don't know if you put many security alerts on your = site,=20 however I'd ask that you do place this one on. At my company we = have been=20 encouraging our larger Managed Hosting customers to use FreeBSD. = However,=20 being that most people that are / may be familiar with any nix flavor = don't use=20 Symantec's website, and it's sad to say "Don't keep up with security = alerts", I=20 would suggest putting something on the frontpage of FreeBSD.org. =20 Especially after what happened many times before with Windows and=20 Nimda/varients.</SPAN></SPAN></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext></SPAN></SPAN></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext></SPAN></SPAN></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext>Thank you,</SPAN></SPAN></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext></SPAN></SPAN></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext>Charles Woolverton</SPAN></SPAN></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext>Tastik.net</SPAN></SPAN></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3Dbodytext><SPAN = class=3Dbodytext><SPAN=20 class=3Dbodytext><A=20 href=3D"mailto:charles.woolverton@tasik.net">charles.woolverton@tasik.net= </A></SPAN></SPAN></SPAN></FONT></DIV></BODY></HTML> ------=_NextPart_000_0005_01C21F6F.D47D2F40-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c21f91$5bdcc830$050da8c0>