Apache Worm in the Wild

codewolf writes "It has been reported to bugtraq by Domas Mituzas that a worm that exploits the Apache chunk bug has been found in the wild. Information on the worm can be found here. More information on the Apache bug can be found here, and patches can either be made by modifying your config file or upgrading your Apache version."

Re:I love Apache

[GeekWithGuns]

Keeping things like this under you hat is exactly how worms get out of control. This hole was fixed 2 weeks ago, if you have not fixed your site by now this is your final warning. If you know any other Apache admins, you should be a nice guy and send them an email to make sure that their site is fixed.

When Micro$oft kept it quiet about those IIS vulnerabilities, many IIS installs went unpatched. (Ok, if you were a good admin you knew about them, but most sites do not have good admins) This by itself was not a problem, but then Nimda and Code Red hit. Tons of systems ripe for the picking!

Any system will have bugs (some more than others, but that is not the point here) and a certain percentage of those bugs will be security vulnerabilities. No matter how hard you try to debug the system, there will be some securty hole left to be discovered. The best action is to make sure that everybody who has that system running knows about the hole before it become a problem.

Things to Try

[kingosric]

The worm saves itself as /tmp/.a, so if root creates an empty file with a-rwx (0000) permissions the worm will not be able to install itself (assuming that your apache isn't running as root, yeh?)
Of cource, the sensible, long term solition is to upgrade to 1.3.26, but as a short term fix this may work (I've not tried it btw - I just upgraded :-)

Re:And why is this not on the front page?

[Trevelyan]

Heres the /. story of the bug (was on front page, 17 june), and heres the story of the release a day later of a update FIXING the bug.

Obvious this worm only affects ppl who have not updated their apache, and to laugh at ur 'IIS swiss cheese' which seems to take a couple of months before a fix is released (not to mention the foolish concept that you can hide any bug via secuirty through obscurity)

Re:Is this x86 only?

[You'reAFuckingMoron]

I'm not an expert on this type of thing, but it looks like the worm caught in the honey-pot is BSD/x86 only.

It appears to be based on the GOBBLE exploit which was released a few days ago, which was BSD only in the form posted on BugTraq. However, GOBBLES claim their exploit can be modified to work on OpenBSD, FreeBSD, Linux 2.4, and Solaris.

There have also been claims that Win32 Apache is vulnerable, although I haven't seen an exploit on BugTraq. If GOBBLES is correct, then it's only going to be a matter of time before this worm is polished up and set out into the wild in a form that can hit just about everyone. Hell, with some work, maybe a good hacker could clean it up, add it with the Nimda code and hit just about everything under the sun.

Source code link

[codewolf]

Source code for the worm

Very cheap workaround

[DeHackEd]

$ su -
# cd /tmp
# touch .a .uua
# chattr +i .a .uua
# exit

This should hold the worm off until I get the chance to do a proper upgrade. I've got too much of a headache to recompile Apache and try to get all the modules I want working right now.

Standard disclaimer: this workaround should not be used by anyone who actually wants protection against this exploit.