Re: [cobalt-users] Apache worm that uses the chunk vulnerability - in the wild

["Peter Masloch" <peter@xxxxxxxxxxx>]

...and i was so happy that this discussion was over.



> Sorry, don't normally cross post.... But...
> 
> Got this off my CISSP forum.... Oh boy.... Hope that mod stops it....
> 
> Rick Ewart
> 
> Someone else saw this on Bugtraq:
> 
> Domas Mituzas for Central systems @ MicroLink Data is reporting that his
> honeypot systems trapped a new apache worm(+trojan) in the wild. It
> traverses through the net, and installs itself on all vulnerable Apaches
> it finds. No source code available yet, but he has put the binaries in
> to a public place and will be doing more investigations on this new
> worm.
> 
> In a follow-up report Miguel Mendez reported that he had just ran it
> through dasm to get the assembler dump. The executable is not even
> stripped, and makes an interesting read, as it gives lots of
> information. It looks like it was either coded by someone with little
> experience or in a hurry, and there are several system calls like this
> one:
> Possible reference to string:
> "/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x
> /tmp/.a;killall -9 .a;/tmp/.a %s;exit;"
> 
>  <http://dammit.lt/apache-worm/> Click here to check out Domas Mituzas's
> page on this discovery
> 
> More information on the Apache bug can be found at
> <http://www.cert.org/advisories/CA-2002-17.html> here, and patches can
> either be made by  <http://www.securiteam.com/tools/5WP0M0U7FS.html>
> modifying your config file or
> <http://www.apache.org/dyn/closer.cgi/httpd/> upgrading your Apache
> version."
>  
>  
> Good luck to all that have not patched!!!
>  
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
> 
>