X-X-Sender: midom@axis.tdd.lt
To: freebsd-security@freebsd.org
Cc: bugtraq@securityfocus.com,
Subject: Apache worm in the wild
Hi,
our honeypot systems trapped new apache worm(+trojan) in the wild. It traverses through the net, and installs itself on all vulnerable apaches it finds. No source code available yet, but I put the binaries into public place, and more investigation is to be done.
http://dammit.lt/apache-worm/
Regards,
Domas Mituzas
Central systems @ MicroLink Data
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
------------------------------------------------------------------------------
More info:
This was spotted on our real-time honeypot systems
(running Apache 1.3.24, of course)
bash-2.05a$ ls -la /tmp
total 128
drwxrwxrwt 3 root wheel 512 Jun 28 14:02 .
-rwxr-xr-x 1 nobody wheel 51626 Jun 28 08:25 .a
-rw-r--r-- 1 nobody wheel 70563 Jun 28 08:25 .uua
New: source-code for apache-worm.c
.a: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), not stripped .uua: uuencoded or xxencoded text
Notes:
I ran transparent web server (serving whole Net for the honeypot), so I could be able to get requests the agent builds. During runtime it sends an UDP packet (helo) to it's 'base' address. It accepts commands on udp port 2001, that also allow flooding specified targets (is DDoS agent). At first it connects to 80 port and sends simple HTTP request. If it succeeds and gets vulnerable string (Apache?) then it does another attack, which clearly shows what is exploited (chunks). This is enough for a signature? :)
References:
http://docs.freebsd.org/cgi/getmsg....reebsd-security
http://docs.freebsd.org/cgi/getmsg....reebsd-security
--
Domas Mituzas
Central Systems
MicroLink Data
or just... dammit
- A hozzászóláshoz be kell jelentkezni