Site Navigation

Date:      Sun, 7 Jul 2002 23:27:07 +0200 (CEST)
From:      Thorsten Schroeder <ths@katjusha.de>
To:        freebsd-security@FreeBSD.ORG
Subject:   fbsd Apache Worm / ddos
Message-ID:  <Pine.BSF.4.44.0207072323320.18306-100000@ths.so36.NET>

---

next in thread | raw e-mail | index | archive | help

---

Hi,

we have had a "nice" dos.

today three of our apache webserver were compromised using the vulnerability
found in the chucked encoding implementation of the Apache 1.3.24 and 2.0.36
and below servers. See CERT Advisory CA-2002-17 on http://www.cert.org

I noticed an increasing traffic until no bandwidth was available.

i tried to reconstruct/analyse this but it's totally unclear, why this
degenerates in a (distributed?) denial of service against one of our
(compromised) servers.

please read http://dammit.lt/apache-worm/apache-worm.c and
http://www.freebsd.org/cgi/getmsg.cgi?fetch=34552+54852+/usr/local/www/db/text/2
002/freebsd-security/20020707.freebsd-security
for a worm analysis.

The compromised system is a 4.5-STABLE FreeBSD 4.5-STABLE #0 running apache
1.3.22 (vulnarable).

The apache logfiles shows:

[Sun Jul  7 13:47:19 2002] [error] [client 66.146.1.28] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23): /

dmesg output as appears in /var/log/messages:

Jul  7 13:47:25 foobar /kernel: pid 22639 (httpd), uid 80: exited on signal 11

on another apache server (also compromised) i have found the following output
in /var/log/messages:

Jul  7 05:58:27 foobar /kernel: pid 25863 (.a), uid 65534: exited on signal 10

in the /tmp directories is the binary of the worm and it's uuencoded binary:

-rwxr-xr-x   1 nobody    wheel    51594 Jul  7 13:47 .a
-rw-r--r--   1 nobody    wheel    71105 Jul  7 13:47 .uua

As described in David Endlers "Apache Worm Analysis" the exploit to something
like /usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x
/tmp/.a;killall -9 .a;/tmp/.a %s;exit;

What i don't understand is the udp-flood after the explotation.

Thousands of different (spoofed) ip-adresses as source for upd-packets from
port 2001 to the compromised system port 2001.

I captured some an they looks like that:

16:18:14.616723 213.131.0.14.2001 > 212.xx.xxx.xx.2001:  udp 40 [tos 0x20]
                         4520 0044 adfc 0000 2e11 3f98 d583 000e
                         d454 f50e 07d1 07d1 0030 e7f5 2600 0000
                         893a f36d 2800 0000 aea5 76b2 0500 0000
                         0000 0000 7400 0000 0000 0000 0000 0000
                         0000 0000
16:18:14.619078 209.81.10.51.2001 > 212.xx.xxx.xx.2001:  udp 44
                         4500 0048 77c7 0000 2a11 73f6 d151 0a33
                         d454 f50e 07d1 07d1 0034 22fc 2600 0000
                         ea36 e44d 2c00 0000 f9cd bf8a 0500 0000
                         0000 0000 7100 0000 0000 0000 0400 0000
                         0000 0000 d30f 0112
16:18:14.620712 210.224.161.37.2001 > 212.xx.xxx.xx.2001:  udp 40
                         4500 0044 00e9 0000 2611 5657 d2e0 a125
                         d454 f50e 07d1 07d1 0030 19c6 2600 0000
                         b44f 0566 2800 0000 e9e5 2e20 0500 0000
                         0000 0000 7400 0000 0000 0000 0000 0000
                         0000 0000
16:18:14.622291 211.167.73.219.2001 > 212.xx.xxx.xx.2001:  udp 44
                         4500 0048 ff8e 0000 2611 ae30 d3a7 49db
                         d454 f50e 07d1 07d1 0034 47d6 2600 0000
                         e846 4748 2c00 0000 4168 1e56 0500 0000
                         0000 0000 7100 0000 0000 0000 0400 0000
                         0000 0000 42d8 2301
16:18:14.623932 217.151.0.38.2001 > 212.xx.xxx.xx.2001:  udp 44
                         4500 0048 1611 0000 3611 cb73 d997 0026
                         d454 f50e 07d1 07d1 0034 5d0b 2600 0000
                         61fa bb4a 2c00 0000 5eca 47e2 0500 0000
                         0000 0000 7100 0000 0000 0000 0400 0000
                         0000 0000 4373 1c52
16:18:14.625493 209.251.2.5.2001 > 212.xx.xxx.xx.2001:  udp 40
                         4500 0044 038d 0000 3011 e9b8 d1fb 0205
                         d454 f50e 07d1 07d1 0030 e1ab 2600 0000
                         df1c b03c 2800 0000 96ea 8397 0500 0000
                         0000 0000 7400 0000 0000 0000 0000 0000
                         0000 0000

notice: there was so many udp-packets coming in, eating all of the bandwidth.

many ppl talking about a "sloppy fashion" the worm was coded, and that it is
quite "harmless" because "it causes no damage"...

What about the udp flood? Can anyone explain that?

The flooding hold on 3 hours until the routes to the ipaddresses were dropped.

This is just FYI ... and if anyone have a clue about the flood... please
contact me or discuss this on that list.

Thanks & regards,

	Thorsten Schroeder




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.44.0207072323320.18306-100000>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact