Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 28 Jun 2002 13:38:34 +0200
From:      flynn@energyhq.homeip.net
To:        Domas Mituzas <domas.mituzas@microlink.lt>
Cc:        freebsd-security@freebsd.org, bugtraq@securityfocus.com, os_bsd@konferencijos.lt
Subject:   Re: Apache worm in the wild
Message-ID:  <20020628113834.GA10062@energyhq.homeip.net>
In-Reply-To: <20020628125817.O68824-100000@axis.tdd.lt>
References:  <20020628125817.O68824-100000@axis.tdd.lt>
next in thread | previous in thread | raw e-mail | index | archive | help 
--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote:

Hi,

> our honeypot systems trapped new apache worm(+trojan) in the wild. It
> traverses through the net, and installs itself on all vulnerable apaches
> it finds. No source code available yet, but I put the binaries into public

Wow, an interesting puppy. I just ran it through dasm to get the
assembler dump. The executable is not even stripped, and makes an
interesting read, as it gives lots of information. It looks like it was
either coded by someone with little experience or in a hurry, and there
are several system calls like this one:

Possible reference to string:
"/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;ki=
llall -9 .a;/
tmp/.a %s;exit;"

I wonder how many variants of this kind of thing we'll see, but I assume mo=
st people=20
running Apache have upgraded already.

Cheers,
--=20
        Miguel Mendez - flynn@energyhq.homeip.net
        GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt
        EnergyHQ :: http://www.energyhq.tk
        Of course it runs NetBSD!

--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (NetBSD)

iD8DBQE9HEq6nLctrNyFFPERAjclAKDAHtXw/OPpNX7kpot1s7pJaRH/5gCdF2y9
sOLrvAxOCTBRDYYsM0tq8Cs=
=EsOg
-----END PGP SIGNATURE-----

--YZ5djTAD1cGYuMQK--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020628113834.GA10062>