Apache Worm in the Wild

← Back to Stories (view on slashdot.org)

Posted by michael on Friday June 28, 2002 @06:00AM from the patchy-server dept.

codewolf writes "It has been reported to bugtraq by Domas Mituzas that a worm that exploits the Apache chunk bug has been found in the wild. Information on the worm can be found here. More information on the Apache bug can be found here, and patches can either be made by modifying your config file or upgrading your Apache version."

4 of 85 comments (clear)

Min score:

Reason:

Sort:

This exploit brought to you by the letters ISS by agrounds · 2002-06-28 06:31 · Score: 2, Interesting

It is becoming increasingly discouraging when the 'security consultants' are releasing more exploits than any group of crackers ever could. It seems that BugTraq and NTBugTraq are full of more and more exploit traffic by these companies that are supposed to be protecting us from the threats. It looks to me like these companies are actively engaging in the process of breaking software, pointing to the offending buffer, then proclaiming "See! We help you by protecting you from someone who might have discovered this! By the way, here is the code for 'proof of concept' that any moron with gcc can load on his 1337 box for a little Friday night shenanigans!"
When is the security end-user community going to come together and fight this as a united front? Make the repurcussions for releasing exploit code so financially devastating, that companies will tremble in fear of releasing -anything- without following proper disclosure.
Perhaps litigation and financial awards would be a good start. I know eEye should owe me some money for their wonderful disclosure prinicipals last summer.. It was a long weekend rebuilding all our ftp servers.
Scary: strings of the code worms by pruneau · 2002-06-28 07:21 · Score: 2, Interesting
For those of you that like the horror stories, are some excerpt of # strings .a (of the linux version of course).
(snip) /bin/.log (snip) GET /%s HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) (snip) GET /%s HTTP/1.0 Host: %s Accept: text/html, text/plain, text/sgml, */*;q=0.01 Accept-Encoding: gzip, compress Accept-Language: en User-Agent: Lynx/2.8.4rel.1 libwww-FM/2.14 (snip) rm -rf /tmp/.a;cat > /tmp/.uua /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/tmp/.a %s;exit; 12.127.17.7 %c%s HELO %s MAIL FROM: RCPT TO: DATA QUIT (snip) mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s /bin/sh (snip) Udp flooding target Tcp flooding target Sending packets to target Dns flooding target (snip) So to summarize, this nasty beast will:
- r00t your box
- send e-mail
- do DOS
- fake beeing mozilla or lynx
Hey apache admin abroad: wake up !
--
[Pruneau /\o^O/\ warranty void if this .sig is removed]
Is this x86 only? by stego · 2002-06-28 08:50 · Score: 3, Interesting

Does this worm run on all platforms, or just x86?
Possible workaround? by eNonymous+Coward · 2002-06-29 10:33 · Score: 2, Interesting

According to the reference page, the actual exploit is done by sending an HTTP POST request to a vulnerable server. Is it enough to put a restrictive LIMIT POST directive in the .htaccess or httpd.conf file? Or would the server still be vulnerable?

FYI, running on cable in the ever-popular 24 /8 and haven't seen anything strange in the access log (yet)