Slashdot Mirror
Apache Worm in the Wild
codewolf writes "It has been reported to bugtraq by Domas Mituzas that a worm that exploits the Apache chunk bug has been found in the wild. Information on the worm can be found here. More information on the Apache bug can be found here, and patches can either be made by modifying your config file or upgrading your Apache version."
Upgrade to the latest version and you won't be affected.
Get it in you!
Suck it up, bitches!
Oh well, back to dowloading pr0n...
Pr0n K1ng
I'll think twice next time before I think anything with "Open" in the name is secure-- Apache needs to change licenses to it's not Open Source anymore or *something.*
So it isn't just IIS Admins that are too lazy to fix major security holes then?
I use it on all my webserver at home. But for work I'm forced to use IIS and stories like this are the reason why. Slashdot, you aren't doing Apache any favors by publishing this kind of thing--it only makes Open Source software look bad. Please, keep it under your hat.
Oh du schöne,
Oh du schöne,
Oh du schöne,
SLASHDOT SUCKS !!
Is Slashdot fixed?
Can I be infected by posting this?
GOBBLES submitted a proof of concept apache exploit for BSD variants on the BugTraq mailing list. Based on this string found in the chunk overflow request: BLE*h*GOB I would argue that this code was very sloppy indeed. Probably stolen mostly from Gobbles with a worm wrapper thrown around it.
I have discovered a truly remarkable sig which this margin is too small to contain.
It is becoming increasingly discouraging when the 'security consultants' are releasing more exploits than any group of crackers ever could. It seems that BugTraq and NTBugTraq are full of more and more exploit traffic by these companies that are supposed to be protecting us from the threats. It looks to me like these companies are actively engaging in the process of breaking software, pointing to the offending buffer, then proclaiming "See! We help you by protecting you from someone who might have discovered this! By the way, here is the code for 'proof of concept' that any moron with gcc can load on his 1337 box for a little Friday night shenanigans!"
When is the security end-user community going to come together and fight this as a united front? Make the repurcussions for releasing exploit code so financially devastating, that companies will tremble in fear of releasing -anything- without following proper disclosure.
Perhaps litigation and financial awards would be a good start. I know eEye should owe me some money for their wonderful disclosure prinicipals last summer.. It was a long weekend rebuilding all our ftp servers.
that would explain all the firewall hits from 64.28.67.150.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Honestly, how is Open Source going to win if we point out all its flaws?
I'm trying to use mod_blowchunks.c with apache 1.3.24 with DSO. When I execute
It spits back:
can anyone offer any guidance?
Hilary Rosen's speech was about her love of money and her desire to roll around naked in a pile of money.
The worm saves itself as /tmp/.a, so if root creates an empty file with a-rwx (0000) permissions the worm will not be able to install itself (assuming that your apache isn't running as root, yeh?) :-)
Of cource, the sensible, long term solition is to upgrade to 1.3.26, but as a short term fix this may work (I've not tried it btw - I just upgraded
Try putting: #declare TRUE 1 #declare FALSE 0 near the top of the mod_blowchunks.c file.
I have discovered a truly remarkable sig which this margin is too small to contain.
Thanks in advance
XOXOXOXOXO
#declare TRUE 1
#declare FALSE 0
rather.
I have discovered a truly remarkable sig which this margin is too small to contain.
you're still wrong.
#define TRUE 1
#define FALSE 0
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Brilliant, it works.
Cheers,eh.
Hilary Rosen's speech was about her love of money and her desire to roll around naked in a pile of money.
For those of you that like the horror stories, are some excerpt of # strings .a (of the linux version of course).
(snip)- r00t your box
- send e-mail
- do DOS
- fake beeing mozilla or lynx
Hey apache admin abroad: wake up ![Pruneau
How odd ... a site that caters to those who use open source software are continually bombarded with reports of how IIS is swiss cheese on the front page, yet when critical OPEN SOURCE security issue comes about, it comes out regarding one of the most, if not THE most used open source application in the world, it is a day late and not published on the front page.
It would appear that the posting security advisories on this site are not to HELP admins, but instead to bash those you don't like.
Does this worm run on all platforms, or just x86?
For those of you that do not need a web server, turn it off.
badness 10000
Looks like the source code to this worm is now here
Three dits, four dits, two dits, dah!
Radio, radio, rah rah rah!
Source code for the worm
http://www.codewolf.com - Just good stuff to waste time
Why is this not on the main page?? With all the Apache servers out there, this is a HUGE deal!
I
I'd always been incredulous of the rumors surrounding the metropolis. Surely it was no more a prodigious city than Jasper! In a matter of hours, I would determine the validity of the hyperbole that others had shared with me.
"Hey, Peter!" exclaimed Robert, pointing at a modernly painted car. "It's over here. Come check it out!" It was obvious that the luxurious pink car was a rental, for a label was affixed to its rear, near the words "Dodge Neon." I approached the passenger side door.
"It's unlocked. Get in!" Robert was certainly enthusiastic about his acquisition of such an immaculate automobile. Despite his enthusiasm, I was somewhat apprehensive about driving with him. After all, his patrol cart accident had resulted in a somewhat undesirable trip to the hospital for both of us! As I began to enter the car, I was startled by a sound that resembled a click. I hadn't a moment to lose. During my descent to the ground, the clicking noise was followed by an enormous roar. At that point I realized that my protege was merely starting the car.
"Listen to this bad boy," he said as he revved the Neon's engine, producing a recurring shrill that may have emanated from an engine belt. "Hah! Almost a sportscar!" Once again, I felt as though I was a simpleton instead of a sophisticated, elaborately trained guardsman. But I had been in the hospital, so perhaps my sense of danger wasn't as accurate as it had been prior to the accident. I felt it important to remember an axiom that had been shared with me on numerous occasions: Time heals everything.
According to my road map, we would encounter many different cities en route, including Livingston, Cleveland, and New Caney. Two of them were surrounded by hyperbole similar to that of Houston. "The nightlife in Cleveland is invigorating," was among intelligence shared with me by an accented, travelling man. "Lake Livingston is more beautiful than Aruba," a native had said. Aside from New Caney, I possessed valid intelligence about our primary route. If we weren't fulfilling a mission, I would have attempted to confirm it all personally.
"Robert, we may have to drive for hours," I said, settling into the fabric seat of the Neon and anticipating the exciting perils of the journey ahead. "Can you handle it?" I strongly considered fretting when my trainee responded with a smile reminiscent of the one he exhibited shortly before our collision with the SUV. However, I remained calm, for I hadn't yet observed the negative augury that was a reflective, silver star.
As we exited the parking lot, I observed that the blue sky overhead was entering a transition to darkness. Clouds were beginning to appear on the horizon. Robert drove expeditiously, occasionally nearing speeds of fourty-five miles per hour. The precision with which he drove indicated his adeptness and experience. While I was genuinely impressed by my protege, I didn't understand why the other drivers insisted on inundating us with an unnerving blast of their horn as they passed. These occurances became more frequent after we entered a road that had been assigned the name US 190. It was here that our bizarre journey truly began.
II
"I've never driven in these conditions," said Robert, as light rain began to cover the windshield of our luxury car. "Um, uh... Oh, yeah, here's the wiper switch." Instead of the mundane sound of the wipers' rubber removing water from glass, we were greeted by a sound similar to that of fingernails being driven into a chalkboard. The temptation existed for me to cover my ears, but I realized that my protege required assistance.
"Turn them off!" I yelled frantically.
Robert pressed the switch almost instantaneously, disabling the malfunctioning wipers. "Maybe I turned on the windshield cleaning mode?"
"No, no," I informed him. "There aren't any wiper blades! We're being sabotaged!" Our ability to see was hampered by scratches that had appeared in the windshield. The rapidly degrading weather conditions outside weren't of any assistance, either. It was absolutely imperative that we exit the road. At that moment, I spotted a Dairy Queen sign on an adjacent street.
"Robert, turn left. Quick!" I commanded my protege, who complied without hesitation. As I watched him correct the car's direction, I realized that something was surely amiss. Our automobile was skidding!
"Peter, help me. I can't stop it!" My trainee had emitted a distress call. I was required to respond immediately and effectively! In a heroic manner, I seized control of the steering wheel and used all of my strength to turn the car in the direction of the skid. Miraculously, the car became motionless less than a moment later.
"Robert, are you okay?" I queried. He continued to the Dairy Queen's parking lot cautiously. Not once did he utter a word.
Emerging from the vehicle with a shirt shielding my head from the drizzle, my keen sense of smell observed that the road had become aromatic with the smells of rain, oil, and asphalt. The humid conditions and darkened sky overhead, illuminated occasionally by a strike of lightning, only heightened our sense of foreboding. We rushed quickly to the more pleasant confines of Woodville's Dairy Queen.
"Bad weather out there, huh friends?" the accented cashier greeted us with a chuckle. "Yeah, we had us a tornader out there just last week, huh. See that toppled tree right over there? Well, anyway, name's Thomas. What's yours?"
An elderly oak tree, possibly existent for a century, had been uprooted near the road. Neither Robert nor myself had been aware of its presence until Thomas had pointed it out. "My name is Peter," I replied, pointing a finger. "And that's Robert. Do you mind if we stay here until this storm is over?"
"Naw, naw. Not at all!" Thomas was around forty-five, perhaps as much as fifty years of age. Thin gray strands were becoming interspersed throughout his jet black hair. He was a relatively small man, only five feet and four inches in stature. My approximation was derived from the fact that he was somewhat shorter than myself, a man of five and a half feet.
I conversed casually with him, as I had the hospital nurse, about trivial matters such as ice cream and old trucks. As I glanced outside, I was aghast at the sight of a most frightening image: a car with the notoriously iconic silver star affixed to both its front and its rear passed by the Dairy Queen, apparently oblivious to or unaffected by the weather outside. I'd observed a most negative omen. As hail began to relentlessly pelt the tin roof of the restaurant, Robert, Thomas, and I realized silently that we would be at the mercy of whatever followed it...
III
"I saw it too," whispered Robert, noticing my face. It'd been rendered a shade or two more pale by the sighting.
"Saw what, man? What was I 'sposed to see?" It was evident that our newly discovered friend hadn't yet been informed of the dangers we faced as a result of our vision. I proceeded to enlighten him.
"Whenever you see a three-pointed star affixed to a vehicle, it's a bad omen. You see, Robert and I discovered this while patrolling."
"Patrollin'? What'chu patrol?" He'd grown more inquisitive, his eyes reduced to mere slits. Perhaps Thomas hadn't ever encountered two elite security guards before.
"Oh, we're security guards. We've saved the world numerous times. But you see, a man crashed into our security patrol vehicle during a routine mission to protect automobiles from rogue shopping carts. Attached to his car was a star that we've observed to be a negative omen on many occasions. Always avoid it. Always. It could save you the expense of your life."
"What a load of boohickey!" Thomas retorted. Apparently, he had decided not to heed our stern warning. He began laughing incessantly. "Good story, though. Huh! You both deserve a Blizzard for that!"
I'd once before sampled a "Blizzard" in a Jasper Dairy Queen. It was a ubiquitous fact that they most likely contained a depressant similar to alcohol. His attempt to serve me such a "frozen treat" led me to believe that he could be part of what I now call the Three Pointed Conspiracy. It was imperative that I not accept any of his offers and shield Robert from his evil.
I denied his offer with a simple "No, thank you."
"Fair 'nuff," he said. "Just thought I'd offer ya one." A member of the Three Pointed Conspiracy, it was certainly possible that he was attempting to lull me into a sense of complacency. I couldn't lower my guard.
Robert, however, was more susceptible to his attack. "Hey, I'll take one of those!" he exclaimed. As Robert glanced in my direction, I shook my head in a stern, horizontal manner. Upon consuming even a fraction of the Blizzard, he would grow more delusional and less aware of the conspiracy around him. Since my head shake had gone unacknowledged, the fact that we needed to vacate the Dairy Queen prematurely became more distinct. After a moment of consideration, I grabbed his arm and began to run for the door. Hopefully Thomas (if that wasn't a pseudonym assigned by the Conspiracy) wouldn't consider our departure abnormal.
"Oh, look, the sky. It's clearing. Robert, we must depart!" I shouted, attempting to confuse the cashier and delay his inevitable, hostile reaction.
"Where are we going, Peter?" Robert questioned me almost inaudibly as we ran to the Neon through the downpour of rain.
"We must leave here, Robert. That man is an agent of a conspiracy with a scale of which has never been seen!" I urgently informed him. He tossed me the keys to the Neon. As I unlocked my door, another bolt of lightning crackled overhead. It must have been nearing sunset, for the strike was more brilliant than any of the others that day.
After starting the engine, I unlocked Robert's door. "I'm cold," he said, shivering and eyeing the air conditioner vent as he fastened his seat belt. "Do you mind?"
"No, not at all," I replied. I'd become uncomfortably chilled as well. Thomas, apparently, wasn't making any effort to pursue us. We entered the rain covered US 190, once again bound for Houston.
IV
It'd been years since I'd last driven an automobile aside from our elite patrol vehicle. If it weren't possible that members of the Three Pointed Conspiracy were following us, I would've considered detouring once the storm was over, for no reason other than to enjoy the feeling.
After a few moments, the road around us became dark. The thick storm clouds overhead obscured any moonlight. If not for our luxury car's headlights, we would have been completely unable to see. US 190 was deserted; there wasn't another car in sight. Moderate rain continued to strike the roof of our car in a manner that was almost relaxing. I glanced quickly over at Robert, who'd been silent for the past few minutes. He had fallen asleep.
The moderate to heavy rain that we'd experienced since Woodville was replaced by a light mist as we entered Livingston. Although the weather here had improved noticeably, fallen trees and a power line lying close to the road indicated that the storm had recently passed through. I nudged Robert with my elbow, who responded with a groan.
After many fruitless attempts, he finally awoke, responding in a groggy voice. "Yeah, Peter?"
He would've been furious if I'd been his subordinate instead of his commander, but I was pleased by his lack of hostility. "Would you mind checking the roadmap for directions?"
"Uh, sure. Actually, can we stop here first?" He pointed at an Exxon gasoline station.
"Are you sick?" I asked with concern.
"Um, no," he replied. "I want a snack."
His request was reasonable, I decided. Besides, the car would soon require a fuel replinishment and I was becoming somewhat uncomfortable from driving. "Go inside and buy whatever you want," I instructed him as I handed him a fifty dollar bill. "But be sure to pay for twenty-five dollars worth of gas."
"Okay," he replied as I positioned the car alongside a gasoline pump.
"On second thought," I told him, "I'll go with you."
He handed the fifty dollar bill back to me. The store itself was ancient, but seemed to have been well maintained. I followed Robert as he selected a Sprite and a bag of potato chips, then to the cashier's register.
"You guys are the first customers I've had all night," the woman said. "You must be on pump four. Heh, you haven't pumped any gas yet. Prepayin'?"
I stepped up. "Yes, twenty-five dollars."
She began scanning the products' barcodes. "Alright then, I'll ring this stuff up. Heh, bad storm here earlier. Was a twister that tore two houses down, news said. You boys didn't drive through it?"
"Yes, we did," I replied solemnly.
"Heh, brave. Well, your total's forty even." I relinquished the fifty. "Ten dollars change, then. Here ya go."
As I pumped the gasoline, I watched the gnats swarm the flourescent light overhead. Once I'd finished returning the pumping device to its holder, our trip resumed. "So, where do we go from here?" I asked Robert as I reassumed my seat behind the wheel.
"Interstate 59," he replied while chewing on a potato chip. "It should take us all the way into Houston."
"Right," I replied, the car's engine sputtering lightly as it started.
Comment without sacrificing karma.
# cd
# touch
# chattr +i
# exit
This should hold the worm off until I get the chance to do a proper upgrade. I've got too much of a headache to recompile Apache and try to get all the modules I want working right now.
Standard disclaimer: this workaround should not be used by anyone who actually wants protection against this exploit.
maybe modify the worm to notify www@domain that the server is exploitable?
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
struct gen_rec {
struct header h;
unsigned long target;
unsigned short port;
unsigned long secs;
};
struct df_rec {
struct header h;
unsigned long target;
unsigned long secs;
};
struct add_rec {
struct header h;
unsigned long server;
unsigned long socks;
unsigned long bind;
unsigned short port;
};
struct data_rec {
struct header h;
};
this is some filler
this is some more filler
the worm is not a root exploit
go cry
This is _NOT_ Off-Topic, I think there are many Users out who want to patch their Servers RIGHT NOW, and have the same problem. Just you wait til meta-mod strikes.
It's been a day or so. I've seen the source code for the worm posted twice, along with instructions for an absolute fuckwit in how to compile it, and stupid ass-patch methods to "protect" you from the worm. Has anyone actually managed to change the worm enough to do something interesting? Post a link so we can all play with it now.
According to the reference page, the actual exploit is done by sending an HTTP POST request to a vulnerable server. Is it enough to put a restrictive LIMIT POST directive in the .htaccess or httpd.conf file? Or would the server still be vulnerable?
/8 and haven't seen anything strange in the access log (yet)
FYI, running on cable in the ever-popular 24
If you can't take the anti-M$ slant, stay out of the Slashdot. It has long ago ceased to be either interesting or insightful to remark that the posters and editors of Slashdot apply a double standard when publicising security flaws, etc. Everyone knows this.
As a note to moderators: this is not insightful. The first time someone has an idea, that is insightful. The millionth time is redundant.
Now confirmed, a worm nicknamed 'Scalper' is spreading that exploits the week old Apache HTTP Server chucked encoding vulnerability. The new worm was first seen after it attacked a honeypot in Lithuania hosted by MicroLink, and seemingly has dDoS objectives in mind. Luckily, the worm has not picked up much steam yet, so take this opportunity to patch your servers.