Apache Worm in the Wild

codewolf writes "It has been reported to bugtraq by Domas Mituzas that a worm that exploits the Apache chunk bug has been found in the wild. Information on the worm can be found here. More information on the Apache bug can be found here, and patches can either be made by modifying your config file or upgrading your Apache version."

Slashdot

Is Slashdot fixed?

Can I be infected by posting this?

Based off of Gobbles proof of concept?

[stromthurman]

GOBBLES submitted a proof of concept apache exploit for BSD variants on the BugTraq mailing list. Based on this string found in the chunk overflow request: BLE*h*GOB I would argue that this code was very sloppy indeed. Probably stolen mostly from Gobbles with a worm wrapper thrown around it.

This exploit brought to you by the letters ISS

[agrounds]

It is becoming increasingly discouraging when the 'security consultants' are releasing more exploits than any group of crackers ever could. It seems that BugTraq and NTBugTraq are full of more and more exploit traffic by these companies that are supposed to be protecting us from the threats. It looks to me like these companies are actively engaging in the process of breaking software, pointing to the offending buffer, then proclaiming "See! We help you by protecting you from someone who might have discovered this! By the way, here is the code for 'proof of concept' that any moron with gcc can load on his 1337 box for a little Friday night shenanigans!"
When is the security end-user community going to come together and fight this as a united front? Make the repurcussions for releasing exploit code so financially devastating, that companies will tremble in fear of releasing -anything- without following proper disclosure.
Perhaps litigation and financial awards would be a good start. I know eEye should owe me some money for their wonderful disclosure prinicipals last summer.. It was a long weekend rebuilding all our ftp servers.

Re:This exploit brought to you by the letters ISS

[gmhowell]

They find problems, the virus scanner companies find problems, etc. to justify their existence. But I think you may have missed some of the introduction in the link you used. How many companies will acknowledge a vulnerability (theoretical) without there being an actual threat in the wild?

Now, I must admit that MS and others are getting better, but it is still not certain that they will pay attention to various bug reports.

I also think that a broader view is required. One must also look at the original publisher/programmer, and determine their liability. Is it NTBugTraq's fault for discussing the exploit, or is it Microsoft's fault for ignoring it and/or having the bug in the first place?

I agree with what you are saying, but am not sure that it goes far enough.

Re:This exploit brought to you by the letters ISS

[weave]

You hit on some very good points. The entire "security" industry smacks of being ambulance chasers to me. It seems all about self-promotion and little about a genuine concern about ensuring the safety of the world's computing infrastructure.

Each vulnerability has to be announced with great fanfare, wrapped up in copyright statements, insistance of proper credit being given, and of course the oh so popular naming of the incident like "weave-apache-043 vulnerability notice."

Here's a few examples from recent bugtraq:

• Cluestick Advisory #001
• Westpoint Security Advisory, wp-02-0002
• Foundstone Advisory, FS-062502-22-AXSH
• nCipher Advisory #4
• SNS Advisory No.54

Now, before you can get that great reputation as a security know-it-all, you have to get your advisory out there. Notifying the vendor quietly so they can do the right thing doesn't serve your immediate needs, and that's publicity. And heaven help the vendor if you do notify them and they don't give you proper credit, else next time you'll just bypass them. Smacks of blackmail, eh?

The entire security industry just seems chaotic and unprofessional. A lot is riding on doing this right. Hiding this behind a super sekret cabal of "trusted" groups with a high cost of entry to the group isn't the answer, but I don't believe rushing to publish working proof of concept exploits is the answer either.

If the medical community operated like this, then the first person who identified a horrible disease would notify the drug companies and give them 30 days to come up with a cure, then after 30 days, go public, give out samples to anyone who asks with a disclaimer like "This is for educational purposes only, do not release it into the wild, we are not responsible" and then get the press to hype the fact that everyone is in great danger because some bad person could be releasing this at any moment.

Re:I love Apache

[GeekWithGuns]

Keeping things like this under you hat is exactly how worms get out of control. This hole was fixed 2 weeks ago, if you have not fixed your site by now this is your final warning. If you know any other Apache admins, you should be a nice guy and send them an email to make sure that their site is fixed.

When Micro$oft kept it quiet about those IIS vulnerabilities, many IIS installs went unpatched. (Ok, if you were a good admin you knew about them, but most sites do not have good admins) This by itself was not a problem, but then Nimda and Code Red hit. Tons of systems ripe for the picking!

Any system will have bugs (some more than others, but that is not the point here) and a certain percentage of those bugs will be security vulnerabilities. No matter how hard you try to debug the system, there will be some securty hole left to be discovered. The best action is to make sure that everybody who has that system running knows about the hole before it become a problem.

Things to Try

[kingosric]

The worm saves itself as /tmp/.a, so if root creates an empty file with a-rwx (0000) permissions the worm will not be able to install itself (assuming that your apache isn't running as root, yeh?)
Of cource, the sensible, long term solition is to upgrade to 1.3.26, but as a short term fix this may work (I've not tried it btw - I just upgraded :-)

Re:Things to Try

[cant_get_a_good_nick]

rm depends on permissions of the containing directory, not the file. Since the worm does rm -f before the cat, make sure you have your /tmp permissions right.

If you set the sticky bit on the directory (most tmps have it set already) the file can't be removed unless the owner of the rm process and the owner of the file match. Then the cat should fail.

Also try chflgs if you're running on freebsd (other BSD's probably have equivs).

Re:Not building right -- Anyone else?

[Xunker]

Brilliant, it works.
Cheers,eh.

Scary: strings of the code worms

[pruneau]

For those of you that like the horror stories, are some excerpt of # strings .a (of the linux version of course).

(snip) /bin/.log (snip) GET /%s HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) (snip) GET /%s HTTP/1.0 Host: %s Accept: text/html, text/plain, text/sgml, */*;q=0.01 Accept-Encoding: gzip, compress Accept-Language: en User-Agent: Lynx/2.8.4rel.1 libwww-FM/2.14 (snip) rm -rf /tmp/.a;cat > /tmp/.uua /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/tmp/.a %s;exit; 12.127.17.7 %c%s HELO %s MAIL FROM: RCPT TO: DATA QUIT (snip) mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s /bin/sh (snip) Udp flooding target Tcp flooding target Sending packets to target Dns flooding target (snip) So to summarize, this nasty beast will:

• r00t your box
• send e-mail
• do DOS
• fake beeing mozilla or lynx

Hey apache admin abroad: wake up !

Re:Scary: strings of the code worms

[zulux]

*If* thats all it does, I tip my hat to the writer of the worm: at least it doesen't destroy any data and you can recover.

If I meet the worm writer - I'm tempted to throttle him on one hand, and shake his hand on the other. It's kinda like a house burgler who steals all your top-ramen and doesen't take your expensive jewlery. Annoying, but in the long run, there wasen't much damage and you securty system had been debugged.

Tough call.

Re:Scary: strings of the code worms

[zulux]

fake beeing mozilla or lynx

Aughfully clever way for Mozilla to gain market share ;)

And why is this not on the front page?

[|DaBuzz|]

How odd ... a site that caters to those who use open source software are continually bombarded with reports of how IIS is swiss cheese on the front page, yet when critical OPEN SOURCE security issue comes about, it comes out regarding one of the most, if not THE most used open source application in the world, it is a day late and not published on the front page.

It would appear that the posting security advisories on this site are not to HELP admins, but instead to bash those you don't like.

Re:And why is this not on the front page?

[Trevelyan]

Heres the /. story of the bug (was on front page, 17 june), and heres the story of the release a day later of a update FIXING the bug.

Obvious this worm only affects ppl who have not updated their apache, and to laugh at ur 'IIS swiss cheese' which seems to take a couple of months before a fix is released (not to mention the foolish concept that you can hide any bug via secuirty through obscurity)

Re:And why is this not on the front page?

[|DaBuzz|]

The stories you cite are regarding the a DoS with Apache, NOT a worm that is now known to exist. There is a big difference between some packet monkey making apache restart and someone rooting your box and executing arbitrary code.

And to add insult to injury, there is a front page story about some OS X security items with no mention of this apache worm, just that Apache has been upgraded.

Now tell me this, are there more Apache admins reading the front page or Apple users?

Having this story here and NOT on the front page is laughable and does not frame the "open source community", one of which slashdot is a corner stone, in a positive light. It shows that they are just as willing to obscure security problems and flaws in their preferred products as those who they despise for using MS products.

Re:I love Apache

[MadAhab]

Very funny. 12000 IIS bugs last week, I STILL get code red probes every day. Off the top of your head, when was the last apache bug like this? BTW, things like this DO encourage people to upgrade. I had some suspicious signal 11s a couple months ago, and I bet that black hats have been playing around with these exploits for a while. Now fix your boxes, if you haven't already. Fixes have been available for a week already.

Is this x86 only?

[stego]

Does this worm run on all platforms, or just x86?

Re:Is this x86 only?

[You'reAFuckingMoron]

I'm not an expert on this type of thing, but it looks like the worm caught in the honey-pot is BSD/x86 only.

It appears to be based on the GOBBLE exploit which was released a few days ago, which was BSD only in the form posted on BugTraq. However, GOBBLES claim their exploit can be modified to work on OpenBSD, FreeBSD, Linux 2.4, and Solaris.

There have also been claims that Win32 Apache is vulnerable, although I haven't seen an exploit on BugTraq. If GOBBLES is correct, then it's only going to be a matter of time before this worm is polished up and set out into the wild in a form that can hit just about everyone. Hell, with some work, maybe a good hacker could clean it up, add it with the Nimda code and hit just about everything under the sun.

Better Solution

[NotoriousQ]

For those of you that do not need a web server, turn it off.

Source code link

[codewolf]

Source code for the worm

Re:Source code link

[Saint+Nobody]

lines are termineted with CRLF, and indents are literal tabs, rather than a couple spaces. my guess is it was written in notepad.

/me suppresses a giggle at the expense of people who code in notepad.

Re:Source code link

[flonker]

Oh, so it's an open source worm. I wonder if it's GPLed.

Re:isn't this big news?

[edhall]

(Time to blow some karma.)

Because it isn't IIS.

I don't use Microsoft products. I use Apache, at work and at home, on Linux and FreeBSD. But I also recognize hypocrisy when I see it. This is the Code Red of the Apache world. So far as "News for Nerds. Stuff that matters" it's more significant than 95% of what appears on the front page.

CT and the Slashdot crew should hang their heads in shame.

-Ed

Re:isn't this big news?

[|DaBuzz|]

If you notice, you'll see that they posted the "Gamespy Installer Spreads Nimda" story on the front page, yet not this.

Yeah, and it appears that a Windows Media EULA "revelation" regarding a change (that has been in effect for a while from what I understand) is also front page news.

So in slashdot's opinion, more "Nerds" are interested in the EULA of an app they probably don't even use than a major security issue with the web server the vast majority of them do use.

The thing is, anti-MS posts generate more comments, i.e. ad views which equals $$$, while the truth about rampant open source vulnerabilities (in all OS's and major services) only hurt this site overall since when it's proven that open source is just as bad as proprietary software in this regard, all the slashdot rank and file will stop drinking the koolaid.

Possible workaround?

[eNonymous+Coward]

According to the reference page, the actual exploit is done by sending an HTTP POST request to a vulnerable server. Is it enough to put a restrictive LIMIT POST directive in the .htaccess or httpd.conf file? Or would the server still be vulnerable?

FYI, running on cable in the ever-popular 24 /8 and haven't seen anything strange in the access log (yet)

Quit bitching

[Reality+Master+201]

If you can't take the anti-M$ slant, stay out of the Slashdot. It has long ago ceased to be either interesting or insightful to remark that the posters and editors of Slashdot apply a double standard when publicising security flaws, etc. Everyone knows this.
As a note to moderators: this is not insightful. The first time someone has an idea, that is insightful. The millionth time is redundant.