Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Worm in the Wild

Posted by michael on from the patchy-server dept.

codewolf writes "It has been reported to bugtraq by Domas Mituzas that a worm that exploits the Apache chunk bug has been found in the wild. Information on the worm can be found here. More information on the Apache bug can be found here, and patches can either be made by modifying your config file or upgrading your Apache version."

6 of 85 comments (clear)

  1. Things to Try by kingosric · · Score: 3, Informative

    The worm saves itself as /tmp/.a, so if root creates an empty file with a-rwx (0000) permissions the worm will not be able to install itself (assuming that your apache isn't running as root, yeh?)
    Of cource, the sensible, long term solition is to upgrade to 1.3.26, but as a short term fix this may work (I've not tried it btw - I just upgraded :-)

  2. And why is this not on the front page? by |DaBuzz| · · Score: 4, Flamebait

    How odd ... a site that caters to those who use open source software are continually bombarded with reports of how IIS is swiss cheese on the front page, yet when critical OPEN SOURCE security issue comes about, it comes out regarding one of the most, if not THE most used open source application in the world, it is a day late and not published on the front page.

    It would appear that the posting security advisories on this site are not to HELP admins, but instead to bash those you don't like.

  3. Is this x86 only? by stego · · Score: 3, Interesting

    Does this worm run on all platforms, or just x86?

    1. Re:Is this x86 only? by You'reAFuckingMoron · · Score: 4, Informative
      I'm not an expert on this type of thing, but it looks like the worm caught in the honey-pot is BSD/x86 only.

      It appears to be based on the GOBBLE exploit which was released a few days ago, which was BSD only in the form posted on BugTraq. However, GOBBLES claim their exploit can be modified to work on OpenBSD, FreeBSD, Linux 2.4, and Solaris.

      There have also been claims that Win32 Apache is vulnerable, although I haven't seen an exploit on BugTraq. If GOBBLES is correct, then it's only going to be a matter of time before this worm is polished up and set out into the wild in a form that can hit just about everyone. Hell, with some work, maybe a good hacker could clean it up, add it with the Nimda code and hit just about everything under the sun.

      --
      What a fabulous troll your post was.... or how fabulously stupid you are. It's impossible to tell.
  4. Re:isn't this big news? by edhall · · Score: 3, Insightful

    (Time to blow some karma.)

    Because it isn't IIS.

    I don't use Microsoft products. I use Apache, at work and at home, on Linux and FreeBSD. But I also recognize hypocrisy when I see it. This is the Code Red of the Apache world. So far as "News for Nerds. Stuff that matters" it's more significant than 95% of what appears on the front page.

    CT and the Slashdot crew should hang their heads in shame.

    -Ed
  5. Re:isn't this big news? by |DaBuzz| · · Score: 3, Insightful

    If you notice, you'll see that they posted the "Gamespy Installer Spreads Nimda" story on the front page, yet not this.

    Yeah, and it appears that a Windows Media EULA "revelation" regarding a change (that has been in effect for a while from what I understand) is also front page news.

    So in slashdot's opinion, more "Nerds" are interested in the EULA of an app they probably don't even use than a major security issue with the web server the vast majority of them do use.

    The thing is, anti-MS posts generate more comments, i.e. ad views which equals $$$, while the truth about rampant open source vulnerabilities (in all OS's and major services) only hurt this site overall since when it's proven that open source is just as bad as proprietary software in this regard, all the slashdot rank and file will stop drinking the koolaid.