Date: Sat, 29 Jun 2002 02:17:35 +0200 (EET) From: Domas Mituzas <domas.mituzas@microlink.lt> To: Brett Glass <brett@lariat.org> Cc: Jonas M Luster <jluster@d-fensive.com>, <bugtraq@securityfocus.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: apache-worm.c Message-ID: <20020629020911.Q91607-100000@axis.tdd.lt> In-Reply-To: <4.3.2.7.2.20020628180253.038e7af0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Then, we can see, that the real worm is slightly modificated, but still, it's quite similiar, so we can say it's same origin. Anyway, not too much to fool about, we can obviously see some DDoS nature in it. But still, there may be more functionality. Also, after some investigation on normal boxes I saw this worm-like activity starting since Jun 25. Is it date of birth? Anyone seeing theese lines? [Fri Jun 28 21:31:51 2002] [error] [client 213.154.128.145] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / Regards, Domas Mituzas MicroLink Data midom@flock ~> make apache-worm 2>/dev/null cc -O -pipe -march=pentiumpro apache-worm.c -o apache-worm midom@flock ~> strings apache-worm | sort > a midom@flock ~> strings .a | sort > b --- b Sat Jun 29 02:11:44 2002 +++ a Sat Jun 29 02:11:54 2002 @@ -1,12 +1,18 @@ !"#&(+,-./0123456789=>?@ABCDPQ + / H +$FreeBSD: src/lib/csu/i386-elf/crti.S,v 1.6 2002/05/15 04:19:49 obrien Exp $ +$FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.5 2002/05/15 04:19:49 obrien Exp $ %c%s %d.%d.%d.%d %s <base 1> [base 2] ... ,$s'1 +,[^_] +,[^_] ----DATA---- ----EMAILS---- ----FROM---- ----SUBJECT---- +-Enc .gov .hlp /bin @@ -21,11 +27,15 @@ /usr/libexec/ld-elf.so.1 12.127.17.71 127.0.0.1 -8$t -8/u -8/u -8/u -: u' +; u1 +;tiB +< v2 +<0.t +<[^_] +<[^_] +>F;u +>F;u +AAAA Accept-Charset: iso-8859-1,*,utf-8 Accept-Charset: iso-8859-1,*,utf-8 Accept-Encoding: gzip @@ -38,6 +48,8 @@ Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept: text/html, text/plain, text/sgml, */*;q=0.01 Apache +BBBB +CCCCf Cannot packet local networks Checksum for data failed Connection: Keep-Alive @@ -50,6 +62,7 @@ Dns flooding target Error communicating with website Error: %s +F;50 FreeBSD FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) @@ -63,63 +76,37 @@ Host: %s Host: %s:80 Host: %s:80 -Host: Unknown Insufficient memory Invalid IP Invalid instance or socket +L[^_] Location MAIL FROM:<%s> Message-ID: <%x.%x.%x@aol.com> Mime-Version: 1.0 Operation Success Operation pending -POST / HTTP/1.1 +POST PPPP PPPP PQP1 PQSP -Ph $ -Ph ' -Ph B -Ph B -Ph J -Ph J -Ph+) -Ph:( -Ph>( -PhA' -PhA' -PhD' -PhD' -PhG' -PhG' -PhG( -PhJ' -PhW( -PhW) -Ph`$ -Phg' Phn/shh//bi -Phw) -Pj-j Port is in use QUIT RCPT TO:<%s> Return-Path: <%c%c%c%c%c%c%c@aol.com> -Rh5( -Rh5( -Rh=) -RjFh` SPP1 Sending packets to target Server: Set-Cookie Size must be less than or equal to 9216 Subject: %s +TTP/ Tcp flooding target Timed out while receiving data To: %s -Transfer-Encoding: chunked +Tran UNKNOWN-CHECKSUM-SUCCESSFUL Udp flooding target Unable to bind socket @@ -135,9 +122,22 @@ User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) XXXXX<Ot -\WVS +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] _DYNAMIC _GLOBAL_OFFSET_TABLE_ +_Jv_RegisterClasses __bss_start __deregister_frame_info __eof__ @@ -155,69 +155,60 @@ bcopy begin 655 .a bind -bzero -close connect ctime dup2 environ execl -exit fclose fcntl +feof +ferror fgetc fgets find / -type f fopen fork -fprintf +fputs fread free fseek ftell +g: c gethostbyname getpid hBLE*h*GOB hGGGG http:// +hunk inet_addr inet_ntoa -j0h` -j5h(( -jqh` -jqh` -libc.so.4 +libc.so.5 malloc memcpy memset mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s -open +nkno +odin pclose popen -printf -rand -read recv recvfrom remove rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; select sendto +sfer signal -sleep -snprintf socket -sprintf srand strcasecmp strchr strcmp strcpy strdup -strlen -strncmp strtok -time +t: U tolower usleep vsnprintf @@ -225,3 +216,4 @@ waitpid webmaster@mydomain.com write +|[^_] On Fri, 28 Jun 2002, Brett Glass wrote: > At 05:58 PM 6/28/2002, Jonas M Luster wrote: > > >This seems to be a different source than the one, the binary was > >compiled from. The binary uses a lynx version string while this one > >uses User-Agent: Mozilla/4.75 [en] instead. > > Aha! Perhaps the worm's author was seeking to mislead Domas, and > others, about what it did and how. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020629020911.Q91607-100000>