Apache Worm in the Wild

codewolf writes "It has been reported to bugtraq by Domas Mituzas that a worm that exploits the Apache chunk bug has been found in the wild. Information on the worm can be found here. More information on the Apache bug can be found here, and patches can either be made by modifying your config file or upgrading your Apache version."

It was only a matter of time

Upgrade to the latest version and you won't be affected.

Lazy

So it isn't just IIS Admins that are too lazy to fix major security holes then?

I love Apache

[PhysicsGenius]

I use it on all my webserver at home. But for work I'm forced to use IIS and stories like this are the reason why. Slashdot, you aren't doing Apache any favors by publishing this kind of thing--it only makes Open Source software look bad. Please, keep it under your hat.

Re:I love Apache

[GeekWithGuns]

Keeping things like this under you hat is exactly how worms get out of control. This hole was fixed 2 weeks ago, if you have not fixed your site by now this is your final warning. If you know any other Apache admins, you should be a nice guy and send them an email to make sure that their site is fixed.

When Micro$oft kept it quiet about those IIS vulnerabilities, many IIS installs went unpatched. (Ok, if you were a good admin you knew about them, but most sites do not have good admins) This by itself was not a problem, but then Nimda and Code Red hit. Tons of systems ripe for the picking!

Any system will have bugs (some more than others, but that is not the point here) and a certain percentage of those bugs will be security vulnerabilities. No matter how hard you try to debug the system, there will be some securty hole left to be discovered. The best action is to make sure that everybody who has that system running knows about the hole before it become a problem.

Re:I love Apache

dude it was a joke

Re:I love Apache

[MadAhab]

Very funny. 12000 IIS bugs last week, I STILL get code red probes every day. Off the top of your head, when was the last apache bug like this? BTW, things like this DO encourage people to upgrade. I had some suspicious signal 11s a couple months ago, and I bet that black hats have been playing around with these exploits for a while. Now fix your boxes, if you haven't already. Fixes have been available for a week already.

Re:I love Apache

Yeah, and if this worm were hitting IIS, this would be total front page material on /. Frankly, I think this is precisely the kind of thing Slashdot ought to be publishing. If your goal is the best possible computing environment, you can't have any sacred cows.

Re:I love Apache

[A_Roche]

Put it under your hat? That is exactly how worms get spread so bad! People don't release the information regarding fixes and admins don't do them. With /. posting the information, then more exposure is made regarding the fix. Geez, let's get a clue here! I admin both IIS and Apache sites, and this is actually the first notice I have seen regarding the fix. To bad MS isn't more forth coming with info regarding their problems!

Re:I love Apache

This looked like a flame on another site, until I read the "keep it under your hat" post here at /.!

http://www.worldtechtribune.com/worldtechtribune/a sparticles/buzz/bz07022002.asp

"Finley Peter Dunne, a Chicago journalist in the early 20th Century, noted that a journalist was to comfort the afflicted and afflict the comfortable. To most journalists, Microsoft, with billions of dollars in the bank and millions of customers, is viewed as comfortable. Open source software, a development dogma steeped in European socialism with few success stories to its credit, is viewed as afflicted. This kind of pragmatism is nothing new to journalists: In the eyes of most elite tech media journalists, it's more 'fair' to afflict the comfortable Microsoft than it is to beat up on the poor, afflicted Apache developers."

I hate the lack of freedom imposed on the world by Mico$loth, but the worst thing would be if Apache turned into some kind of lying, closed, corporate slug! How can we in the Open Source community say we love free speech if we are going to hide or cover up issues? We must remain open at all costs to show the closed sourcers we won't stoop to their level.

Slashdot

Is Slashdot fixed?

Can I be infected by posting this?

Based off of Gobbles proof of concept?

[stromthurman]

GOBBLES submitted a proof of concept apache exploit for BSD variants on the BugTraq mailing list. Based on this string found in the chunk overflow request: BLE*h*GOB I would argue that this code was very sloppy indeed. Probably stolen mostly from Gobbles with a worm wrapper thrown around it.

This exploit brought to you by the letters ISS

[agrounds]

It is becoming increasingly discouraging when the 'security consultants' are releasing more exploits than any group of crackers ever could. It seems that BugTraq and NTBugTraq are full of more and more exploit traffic by these companies that are supposed to be protecting us from the threats. It looks to me like these companies are actively engaging in the process of breaking software, pointing to the offending buffer, then proclaiming "See! We help you by protecting you from someone who might have discovered this! By the way, here is the code for 'proof of concept' that any moron with gcc can load on his 1337 box for a little Friday night shenanigans!"
When is the security end-user community going to come together and fight this as a united front? Make the repurcussions for releasing exploit code so financially devastating, that companies will tremble in fear of releasing -anything- without following proper disclosure.
Perhaps litigation and financial awards would be a good start. I know eEye should owe me some money for their wonderful disclosure prinicipals last summer.. It was a long weekend rebuilding all our ftp servers.

Re:This exploit brought to you by the letters ISS

[gmhowell]

They find problems, the virus scanner companies find problems, etc. to justify their existence. But I think you may have missed some of the introduction in the link you used. How many companies will acknowledge a vulnerability (theoretical) without there being an actual threat in the wild?

Now, I must admit that MS and others are getting better, but it is still not certain that they will pay attention to various bug reports.

I also think that a broader view is required. One must also look at the original publisher/programmer, and determine their liability. Is it NTBugTraq's fault for discussing the exploit, or is it Microsoft's fault for ignoring it and/or having the bug in the first place?

I agree with what you are saying, but am not sure that it goes far enough.

Re:This exploit brought to you by the letters ISS

[agrounds]

You're right about the treatment given theoretical vs. actual threats by most companies. I don't know what the cure for that is going to be. Complancency with regard to systems updating and patching, as we have discovered (read: Code Red), affects us all. In the case of Code Red or Nimda, which used an arsenal of attacks that had patches already released, the liability landed squarely on the admins shoulders.
I think that BugTraq and it's ilk are valuable tools for the discussion and dissemination of information, and I admittedly would be lost without them.

I have no problems with liability being ascribed to the software-house when an exploit is disclosed, and nothing is done to fix it. Financial awards are the only thing that is going to wake the industry up from it's casual disregard.

What I do think turns the tables is when the security company releases proof-of-concept code into the mailing lists of the world. BugTraq is a lifesaver. I wouldn't be adequately informed without it. However, I don't think for a second that easily half the subscribers to the list are script kiddies looking for some nice code to drop in their lap. In this case, I think the liability points directly to the security company for failure to use common sense and good disclosure practices.

Can you imagine what would happen if everyone who was affected by a worm generated from proof-of-concept code filed a class action against the company that released the code? If each plaintiff only sued for man hours lost, the damages would be astronomical. This weapon could be wielded at Microsoft or any other company as well that failed to patch an exploit that was reported diligently using best-practices, and later used as a worm.

Usually the only way to make companies listen is to hit them where they'll notice.

Re:This exploit brought to you by the letters ISS

[gmhowell]

But what kinda hit does it take to make someone with $42 billion in cash notice?

Re:This exploit brought to you by the letters ISS

[weave]

You hit on some very good points. The entire "security" industry smacks of being ambulance chasers to me. It seems all about self-promotion and little about a genuine concern about ensuring the safety of the world's computing infrastructure.

Each vulnerability has to be announced with great fanfare, wrapped up in copyright statements, insistance of proper credit being given, and of course the oh so popular naming of the incident like "weave-apache-043 vulnerability notice."

Here's a few examples from recent bugtraq:

• Cluestick Advisory #001
• Westpoint Security Advisory, wp-02-0002
• Foundstone Advisory, FS-062502-22-AXSH
• nCipher Advisory #4
• SNS Advisory No.54

Now, before you can get that great reputation as a security know-it-all, you have to get your advisory out there. Notifying the vendor quietly so they can do the right thing doesn't serve your immediate needs, and that's publicity. And heaven help the vendor if you do notify them and they don't give you proper credit, else next time you'll just bypass them. Smacks of blackmail, eh?

The entire security industry just seems chaotic and unprofessional. A lot is riding on doing this right. Hiding this behind a super sekret cabal of "trusted" groups with a high cost of entry to the group isn't the answer, but I don't believe rushing to publish working proof of concept exploits is the answer either.

If the medical community operated like this, then the first person who identified a horrible disease would notify the drug companies and give them 30 days to come up with a cure, then after 30 days, go public, give out samples to anyone who asks with a disclaimer like "This is for educational purposes only, do not release it into the wild, we are not responsible" and then get the press to hype the fact that everyone is in great danger because some bad person could be releasing this at any moment.

Re:This exploit brought to you by the letters ISS

[seosamh]

When is the security end-user community going to come together and fight this as a united front? Make the repurcussions for releasing exploit code so financially devastating, that companies will tremble in fear of releasing -anything- without following proper disclosure [vulnwatch.org].
Perhaps litigation and financial awards would be a good start.

Well, in the US of A they're working on accepting 0 (as in zero) responsibility
for flaws in their products as a matter of law. Check these resources online
for info about the UCITA.

Computer Professionals for Social Responsibility

InfoWorld

Americans for Fair Electronic Transactions

One interesting provision, as described on the CPSR page and related to your ideas which I quoted, is:

UCITA allows software publishers to sell their products "as is" and to disclaim liability for product shortcomings.

One other interesting aspect of this abomination is the right of the vendor to
change the terms of the license, at any time, before or after
the original transaction.

This battle is fought state by state, in the state legislatures. Somebody in your
state capital needs to know if you don't like what UCITA means for you.

ah, that explains it....

[jeffy124]

that would explain all the firewall hits from 64.28.67.150.

Re:ah, that explains it....

[agrounds]

that would explain all the firewall hits from 64.28.67.150.

Offtopic == they dont get it

In this particular case, I think your signature is going to be right on target...

For those that don't get it, that's the public IP for /.

Re:ah, that explains it....

[rakslice]

Yum...

[snip -- no, you're not getting your hands on my IP, you little devils, you.]

bbr01-p0-0.ekgv01.exodus.net (209.1.169.1) 63.594 ms 63.786 ms 64.192 ms
bbr02-p3-0.okbr01.exodus.net (206.79.9.9) 68.463 ms 63.592 ms 63.789 ms
bbr02-p4-0.wlhm01.exodus.net (209.1.169.45) 88.655 ms 89.120 ms 88.507 m
dcr03-g2-0.wlhm01.exodus.net (64.14.70.65) 88.775 ms 89.418 ms 89.015 ms
csr03-ve241.wlhm02.exodus.net (64.14.70.138) 92.827 ms 91.359 ms 89.139
64.28.66.204 (64.28.66.204) 89.260 ms 89.179 ms 88.957 ms
slashdot.org (64.28.67.150) [open] 137.414 ms * *

Overkill for simple reverse DNS, I know, but way cooler.

BTW, can anyone identify wlhm, btw? okbr seems to be Oak Brook, IL., but then it's mysteryland.

Not building right -- Anyone else?

[Xunker]

The page itself seems to be void of troubleshooting into, and I'm no C programmer, so I'm at a loss here.

I'm trying to use mod_blowchunks.c with apache 1.3.24 with DSO. When I execute

bin/apxs -i -a -c mod_blowchunks.c

It spits back:

gcc -DLINUX=22 -DUSE_HSREGEX -fpic -DSHARED_MODULE -I/usr/local/apache_1.3.24/include -c mod_blowchunks.c
mod_blowchunks.c: In function `blowchunks_check_one_header':
mod_blowchunks.c:5 1: `TRUE' undeclared (first use in this function)
mod_blowchunks.c:51: (Each undeclared identifier is reported only once
mod_blowchunks.c:51: for each function it appears in.)
mod_blowchunks.c:52: `FALSE' undeclared (first use in this function)
mod_blowchunks.c: In function `blowchunks_post_read_request':
mod_blowchunks.c: 58: `FALSE' undeclared (first use in this function)
mod_blowchunks.c:61: `TRUE' undeclared (first use in this function)
apxs:Break: Command failed with rc=1

can anyone offer any guidance?

Things to Try

[kingosric]

The worm saves itself as /tmp/.a, so if root creates an empty file with a-rwx (0000) permissions the worm will not be able to install itself (assuming that your apache isn't running as root, yeh?)
Of cource, the sensible, long term solition is to upgrade to 1.3.26, but as a short term fix this may work (I've not tried it btw - I just upgraded :-)

Re:Things to Try

[J'raxis]

Even if you are running as root (the parent does run as root even though the child processes are nobody:nobody) you could just set up a cron to check for that file every few minutes:

#!/bin/sh
WORM='/tmp/.a'
if [ -f "$WORM" ] ; then
echo 'APACHE WORM DETECTED'
rm "$WORM" ||
echo "ERROR: Was unable to delete $WORM"
fi

If this runs as a cron, the output will be mailed to you.

Re:Things to Try

[cant_get_a_good_nick]

rm depends on permissions of the containing directory, not the file. Since the worm does rm -f before the cat, make sure you have your /tmp permissions right.

If you set the sticky bit on the directory (most tmps have it set already) the file can't be removed unless the owner of the rm process and the owner of the file match. Then the cat should fail.

Also try chflgs if you're running on freebsd (other BSD's probably have equivs).

Re:Things to Try

As far as i know, it uses the UDP 2001 port to do it's stuff. Firewall this as quick workaround.

Re:Things to Try

So, if there is no /tmp/.a file on my system, is it safe to assume that my system has not been infected? I installed the update, but want to make sure I was not infected before I installed it.

Thanks!

Re:Things to Try

[Ogun]

Ahh, but most people seems to not know about the ext2/3 file attributes.
Something like:
touch /tmp/.a
chmod 000 /tmp/.a
chattr +i /tmp/.a

would make that file immutable. Not even root can touch it until root does chattr -i.

And now you know why I run ext3 :)

Re:Not building right -- Anyone else?

[stromthurman]

Try putting: #declare TRUE 1 #declare FALSE 0 near the top of the mod_blowchunks.c file.

Please move this to the front page!!!

Thanks in advance

XOXOXOXOXO

Re:Not building right -- Anyone else?

[stromthurman]

#declare TRUE 1
#declare FALSE 0

rather.

Re:Not building right -- Anyone else?

[jeffy124]

you're still wrong.

#define TRUE 1
#define FALSE 0

Re:Not building right -- Anyone else?

[Xunker]

Brilliant, it works.
Cheers,eh.

Scary: strings of the code worms

[pruneau]

For those of you that like the horror stories, are some excerpt of # strings .a (of the linux version of course).

(snip) /bin/.log (snip) GET /%s HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) (snip) GET /%s HTTP/1.0 Host: %s Accept: text/html, text/plain, text/sgml, */*;q=0.01 Accept-Encoding: gzip, compress Accept-Language: en User-Agent: Lynx/2.8.4rel.1 libwww-FM/2.14 (snip) rm -rf /tmp/.a;cat > /tmp/.uua /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/tmp/.a %s;exit; 12.127.17.7 %c%s HELO %s MAIL FROM: RCPT TO: DATA QUIT (snip) mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s /bin/sh (snip) Udp flooding target Tcp flooding target Sending packets to target Dns flooding target (snip) So to summarize, this nasty beast will:

• r00t your box
• send e-mail
• do DOS
• fake beeing mozilla or lynx

Hey apache admin abroad: wake up !

Re:Scary: strings of the code worms

[zulux]

*If* thats all it does, I tip my hat to the writer of the worm: at least it doesen't destroy any data and you can recover.

If I meet the worm writer - I'm tempted to throttle him on one hand, and shake his hand on the other. It's kinda like a house burgler who steals all your top-ramen and doesen't take your expensive jewlery. Annoying, but in the long run, there wasen't much damage and you securty system had been debugged.

Tough call.

Re:Scary: strings of the code worms

[zulux]

fake beeing mozilla or lynx

Aughfully clever way for Mozilla to gain market share ;)

Re:Scary: strings of the code worms

[J'raxis]

That string is plain old Netscape 4.75. Remember, Netscape, IE, Mozilla itself, and Opera all use something containing Mozilla. The actual Mozilla browser has something like Gecko/$VERSION appended to it.

Re:Scary: strings of the code worms

A disassembly of the code can be downloaded from

http://projects.tfm.ro/security/apache_worm/

Re:Scary: strings of the code worms

But why bother with disassembly. Just look at the source code.
http://dammit.lt/apache-worm/apache-worm.c

And why is this not on the front page?

[|DaBuzz|]

How odd ... a site that caters to those who use open source software are continually bombarded with reports of how IIS is swiss cheese on the front page, yet when critical OPEN SOURCE security issue comes about, it comes out regarding one of the most, if not THE most used open source application in the world, it is a day late and not published on the front page.

It would appear that the posting security advisories on this site are not to HELP admins, but instead to bash those you don't like.

Re:And why is this not on the front page?

[pruneau]

Well, /. has never advertised to be the top-notch advisory source you wants to connect to... They have a lot of claims, but not that one indeed.
Generally, if you really are a security admin, you look at bugtrak, etc.etc.

OTOH, sorry for the Mozilla/Netscape mistake: you are damn right.

And no, this is not all it does: I did forget to mention it infected unpatched apache servers didn't I ? So I probably forgot a lot more ;->

Re:And why is this not on the front page?

[Trevelyan]

Heres the /. story of the bug (was on front page, 17 june), and heres the story of the release a day later of a update FIXING the bug.

Obvious this worm only affects ppl who have not updated their apache, and to laugh at ur 'IIS swiss cheese' which seems to take a couple of months before a fix is released (not to mention the foolish concept that you can hide any bug via secuirty through obscurity)

Re:And why is this not on the front page?

[|DaBuzz|]

The stories you cite are regarding the a DoS with Apache, NOT a worm that is now known to exist. There is a big difference between some packet monkey making apache restart and someone rooting your box and executing arbitrary code.

And to add insult to injury, there is a front page story about some OS X security items with no mention of this apache worm, just that Apache has been upgraded.

Now tell me this, are there more Apache admins reading the front page or Apple users?

Having this story here and NOT on the front page is laughable and does not frame the "open source community", one of which slashdot is a corner stone, in a positive light. It shows that they are just as willing to obscure security problems and flaws in their preferred products as those who they despise for using MS products.

Re:And why is this not on the front page?

[alonsoac]

It would appear that the posting security advisories on this site are not to HELP admins, but instead to bash those you don't like.

I feel this is not a security advisory site and it also is not the "admin help" site. As far as I know it's news for nerds.

They did have it on the frontpage some days ago when the bug was news. The only ones who could be complainting now would be some of the lazy admins who don't care enough to fix it before the worms appear.

I suppose it is not in the frontpage because this is not exactly interesting news to most of the people.

Re:And why is this not on the front page?

[Verizon+Guy]

I suppose it is not in the frontpage because this is not exactly interesting news to most of the people.

Are you out of your fucking mind?? NOT interesting news? Please. This is like posting a report about a buffer overflow in the hta parser in IIS on the front page, but never posting a story about Code Red and variants.

This is a really lame attempt at a cover-up, plain and simple. This site it the first to bash IIS, but when the real hole hits, the one that affects the product they all tout as being the best, the one that is appearently used by most of the web servers on the Internet, well, we like to hide that one around here.

Slashdot is finally showing its true colors. This site is about as unbiased as Salon.com.

Re:And why is this not on the front page?

[alonsoac]

How could you say this is a cover up if there were 2 news about it in recent days. The bug was reported, then the fix was announced, what the fuck else do you want? You need the slashdot crew to fix it for you?

Re:And why is this not on the front page?

[Verizon+Guy]

This is a worm spreading via the exploit. It's a totally different story.

Re:And why is this not on the front page?

I hereby nominate you for the "Duh Of The Year Award."(TM) on behalf of the entire Anonymous Coward Community. You must be new here so that probably puts you at an unfair advantage in the competition. But still I like it and you have my vote.

Re:And why is this not on the front page?

The complaining about this post from DaBuzz shows how correct that assertion is:

http://www.worldtechtribune.com/worldtechtribune/a sparticles/buzz/bz07022002.asp

"Finley Peter Dunne, a Chicago journalist in the early 20th Century, noted that a journalist was to comfort the afflicted and afflict the comfortable. To most journalists, Microsoft, with billions of dollars in the bank and millions of customers, is viewed as comfortable. Open source software, a development dogma steeped in European socialism with few success stories to its credit, is viewed as afflicted. This kind of pragmatism is nothing new to journalists: In the eyes of most elite tech media journalists, it's more 'fair' to afflict the comfortable Microsoft than it is to beat up on the poor, afflicted Apache developers."

Is this x86 only?

[stego]

Does this worm run on all platforms, or just x86?

Re:Is this x86 only?

[You'reAFuckingMoron]

I'm not an expert on this type of thing, but it looks like the worm caught in the honey-pot is BSD/x86 only.

It appears to be based on the GOBBLE exploit which was released a few days ago, which was BSD only in the form posted on BugTraq. However, GOBBLES claim their exploit can be modified to work on OpenBSD, FreeBSD, Linux 2.4, and Solaris.

There have also been claims that Win32 Apache is vulnerable, although I haven't seen an exploit on BugTraq. If GOBBLES is correct, then it's only going to be a matter of time before this worm is polished up and set out into the wild in a form that can hit just about everyone. Hell, with some work, maybe a good hacker could clean it up, add it with the Nimda code and hit just about everything under the sun.

Re:Is this x86 only?

[stirfry714]

The Apache worm looks like FreeBSD only, BUT any good sys admin is going to assume that worms are out there now (or will be shortly) that will root and destroy their systems. Paranoid, yes, but..

In this case, the Apache upgrade was so painless (and I even had the slight complication of mod_ssl) that there's no excuse not to upgrade.

Better Solution

[NotoriousQ]

For those of you that do not need a web server, turn it off.

Worm source

[srhuston]

Looks like the source code to this worm is now here

Source code link

[codewolf]

Source code for the worm

Re:Source code link

[Saint+Nobody]

lines are termineted with CRLF, and indents are literal tabs, rather than a couple spaces. my guess is it was written in notepad.

/me suppresses a giggle at the expense of people who code in notepad.

Re:Source code link

It is also funny how you can type out a few lines on something as stupid as notepad to take down an bunch of Apache servers.

Re:Source code link

[flonker]

Oh, so it's an open source worm. I wonder if it's GPLed.

isn't this big news?

[dousette]

Why is this not on the main page?? With all the Apache servers out there, this is a HUGE deal!

Re:isn't this big news?

[edhall]

(Time to blow some karma.)

Because it isn't IIS.

I don't use Microsoft products. I use Apache, at work and at home, on Linux and FreeBSD. But I also recognize hypocrisy when I see it. This is the Code Red of the Apache world. So far as "News for Nerds. Stuff that matters" it's more significant than 95% of what appears on the front page.

CT and the Slashdot crew should hang their heads in shame.

-Ed

Re:isn't this big news?

It isn't as big as it seems. The code is extemely sloppy and inefficent. But it could provide an idea for a more innovative kiddie(if there is such a thing). I can definatly see a modified worm/trojan that utilizes SYN flood attacks.

Re:isn't this big news?

[edhall]

Yes, it's pretty primitive. It appears to have been hacked together based on an exploit that was published just a few days ago. But there is little, other than greater vigilance on the part of Apache webmasters (as opposed to IIS's) to prevent a succession of worms that ultimately will rival in sophistication and virulence anything IIS has seen.

I thought it was pathetic how a couple hundred thousand IIS servers stayed unpatched for so long, but it will be even more pathetic if the same happens to Apache. This is a chance for us to prove how much better open source can handle these situations. And I think there is a good chance that we will do just that. But that means that the word has to be spread as far as possible, not just to people who subscribe to Apache mailing lists or who read the Apache section on a website like Slashdot. And, face it, there are plenty of people out there running Apache who are two thoughts short of a clue. You can criticize ignorant webmasters all you want, but that doesn't change the fact that, for better or worse, what they do (or don't do) will reflect on all of us.

-Ed

Re:isn't this big news?

[Verizon+Guy]

Well, I can tell you even though I used Apache first, I've been a pretty happy IIS user for a couple of years now. I just have to say that anyone, anyone that runs a web server need to be a vigilant admin, set his server up properly, and keep up-to-date with the security patches. Code Red and friends never compromised my server because I had secured it. The "lock up the server room and throw away the key" syndrome is what causes all this crap to happen. I understand that since on IIS it is easier to get a default setup up and running quickly, the admin behind any old IIS box may not be as knowledgeable as a comparible Unix admin (that not saying that you need a good, smart NT admin if you want to do things right). OTOH, if you have a sloppy Unix admin around, with one of those "Apache is unbreakable cause it's open source" attitudes --- that is what worries me. I think that IIS's past reputation may make that admin a little more likely to visit security update pages, while a sloppy Apache admin just might do a Ron Popeil "set it and forget it" kind of thing. If you ever Netcraft a few big university servers, you'll see that they haven't updated their Apaches. If you get a big server on a big pipe DoSing... well, that's a big problem.

We'll find out soon enough.

Re:isn't this big news?

[Verizon+Guy]

Well, if you look and see whose turn it is to post stories... that might answer your question.

Re:isn't this big news?

If you notice, you'll see that they posted the "Gamespy Installer Spreads Nimda" story on the front page, yet not this.

Re:isn't this big news?

[|DaBuzz|]

If you notice, you'll see that they posted the "Gamespy Installer Spreads Nimda" story on the front page, yet not this.

Yeah, and it appears that a Windows Media EULA "revelation" regarding a change (that has been in effect for a while from what I understand) is also front page news.

So in slashdot's opinion, more "Nerds" are interested in the EULA of an app they probably don't even use than a major security issue with the web server the vast majority of them do use.

The thing is, anti-MS posts generate more comments, i.e. ad views which equals $$$, while the truth about rampant open source vulnerabilities (in all OS's and major services) only hurt this site overall since when it's proven that open source is just as bad as proprietary software in this regard, all the slashdot rank and file will stop drinking the koolaid.

Re:isn't this big news?

Um, if this is the Code Red of the Apache world, how much damage has been done? Less than 24 hours after Code Red first struck, there were thousands of servers down. And it grew exponentially for days, and was a serious problem for weeks. My home PC (running linux) was DoS'ed by the traffic for two days. I could barely read Slashdot.

Re:isn't this big news?

Yes, there are (reportedly) up to 10 million clueless Apache users. There were (potetially) a billion clueless IIS/Windows personal web server users. In real life, you could probabably reduce each number by 90%. Which leaves you with 1 million vs. 100 million.

Re:isn't this big news?

They posted this on newforge and had big goose egg # of comments.

Re:isn't this big news?

[jrexilius]

It is big news and it _was_ on the front page june 17th when it first came out. Then again june 18th when the fix was released.
http://apache.slashdot.org/article.pl?sid=02/06/17 /1948249=thread=172

Very cheap workaround

[DeHackEd]

$ su -
# cd /tmp
# touch .a .uua
# chattr +i .a .uua
# exit

This should hold the worm off until I get the chance to do a proper upgrade. I've got too much of a headache to recompile Apache and try to get all the modules I want working right now.

Standard disclaimer: this workaround should not be used by anyone who actually wants protection against this exploit.

someone should write a whitehat worm?

[Kunta+Kinte]

maybe modify the worm to notify www@domain that the server is exploitable?

20 or so lines from one exploit

struct gen_rec {
struct header h;
unsigned long target;
unsigned short port;
unsigned long secs;
};
struct df_rec {
struct header h;
unsigned long target;
unsigned long secs;
};
struct add_rec {
struct header h;
unsigned long server;
unsigned long socks;
unsigned long bind;
unsigned short port;
};
struct data_rec {
struct header h;
};

The worm isn't a root exploit, dummy (n/t)

this is some filler

this is some more filler

the worm is not a root exploit

go cry

Re:Not building right -- Anyone else?

This is _NOT_ Off-Topic, I think there are many Users out who want to patch their Servers RIGHT NOW, and have the same problem. Just you wait til meta-mod strikes.

Possible workaround?

[eNonymous+Coward]

According to the reference page, the actual exploit is done by sending an HTTP POST request to a vulnerable server. Is it enough to put a restrictive LIMIT POST directive in the .htaccess or httpd.conf file? Or would the server still be vulnerable?

FYI, running on cable in the ever-popular 24 /8 and haven't seen anything strange in the access log (yet)

Quit bitching

[Reality+Master+201]

If you can't take the anti-M$ slant, stay out of the Slashdot. It has long ago ceased to be either interesting or insightful to remark that the posters and editors of Slashdot apply a double standard when publicising security flaws, etc. Everyone knows this.
As a note to moderators: this is not insightful. The first time someone has an idea, that is insightful. The millionth time is redundant.

More Functions Confirmed within the worm

Now confirmed, a worm nicknamed 'Scalper' is spreading that exploits the week old Apache HTTP Server chucked encoding vulnerability. The new worm was first seen after it attacked a honeypot in Lithuania hosted by MicroLink, and seemingly has dDoS objectives in mind. Luckily, the worm has not picked up much steam yet, so take this opportunity to patch your servers.