[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Apache worm that uses the chunk vulnerability - in the wild
- Subject: [cobalt-security] Apache worm that uses the chunk vulnerability - in the wild
- From: "Rick Ewart" <cobalt@xxxxxxxxx>
- Date: Fri, 28 Jun 2002 18:00:36 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Sorry, don't normally cross post.... But...
Got this off my CISSP forum.... Oh boy.... Hope that mod stops it....
Rick Ewart
Someone else saw this on Bugtraq:
Domas Mituzas for Central systems @ MicroLink Data is reporting that his
honeypot systems trapped a new apache worm(+trojan) in the wild. It
traverses through the net, and installs itself on all vulnerable Apaches
it finds. No source code available yet, but he has put the binaries in
to a public place and will be doing more investigations on this new
worm.
In a follow-up report Miguel Mendez reported that he had just ran it
through dasm to get the assembler dump. The executable is not even
stripped, and makes an interesting read, as it gives lots of
information. It looks like it was either coded by someone with little
experience or in a hurry, and there are several system calls like this
one:
Possible reference to string:
"/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x
/tmp/.a;killall -9 .a;/tmp/.a %s;exit;"
<http://dammit.lt/apache-worm/> Click here to check out Domas Mituzas's
page on this discovery
More information on the Apache bug can be found at
<http://www.cert.org/advisories/CA-2002-17.html> here, and patches can
either be made by <http://www.securiteam.com/tools/5WP0M0U7FS.html>
modifying your config file or
<http://www.apache.org/dyn/closer.cgi/httpd/> upgrading your Apache
version."
Good luck to all that have not patched!!!