Date: Fri, 28 Jun 2002 19:17:23 -0600 From: Colin Faber <cfaber@fpsn.net> To: Domas Mituzas <domas.mituzas@microlink.lt> Cc: Brett Glass <brett@lariat.org>, Jonas M Luster <jluster@d-fensive.com>, bugtraq@securityfocus.com, freebsd-security@FreeBSD.ORG Subject: Re: apache-worm.c Message-ID: <3D1D0AA3.EAA3132C@fpsn.net> References: <20020629020911.Q91607-100000@axis.tdd.lt>
next in thread | previous in thread | raw e-mail | index | archive | help
Domas Hi, a quick review of my logs show all the way back to Jun 8th I've also had repeated attempts on different days from a sprint connection. [Sat Jun 8 18:11:46 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Sun Jun 9 03:34:26 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Wed Jun 12 23:45:00 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Thu Jun 13 05:36:10 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Thu Jun 13 20:29:30 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Sun Jun 16 19:15:18 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / Domas Mituzas wrote: > > Then, we can see, that the real worm is slightly modificated, but still, > it's quite similiar, so we can say it's same origin. Anyway, not too much > to fool about, we can obviously see some DDoS nature in it. But still, > there may be more functionality. > > Also, after some investigation on normal boxes I saw this worm-like > activity starting since Jun 25. Is it date of birth? Anyone seeing theese > lines? > > [Fri Jun 28 21:31:51 2002] [error] [client 213.154.128.145] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / > > Regards, > Domas Mituzas > MicroLink Data > > midom@flock ~> make apache-worm 2>/dev/null > cc -O -pipe -march=pentiumpro apache-worm.c -o apache-worm > midom@flock ~> strings apache-worm | sort > a > midom@flock ~> strings .a | sort > b > --- b Sat Jun 29 02:11:44 2002 > +++ a Sat Jun 29 02:11:54 2002 > @@ -1,12 +1,18 @@ > !"#&(+,-./0123456789=>?@ABCDPQ > + / H > +$FreeBSD: src/lib/csu/i386-elf/crti.S,v 1.6 2002/05/15 04:19:49 obrien Exp $ > +$FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.5 2002/05/15 04:19:49 obrien Exp $ > %c%s > %d.%d.%d.%d > %s <base 1> [base 2] ... > ,$s'1 > +,[^_] > +,[^_] > ----DATA---- > ----EMAILS---- > ----FROM---- > ----SUBJECT---- > +-Enc > .gov > .hlp > /bin > @@ -21,11 +27,15 @@ > /usr/libexec/ld-elf.so.1 > 12.127.17.71 > 127.0.0.1 > -8$t > -8/u > -8/u > -8/u > -: u' > +; u1 > +;tiB > +< v2 > +<0.t > +<[^_] > +<[^_] > +>F;u > +>F;u > +AAAA > Accept-Charset: iso-8859-1,*,utf-8 > Accept-Charset: iso-8859-1,*,utf-8 > Accept-Encoding: gzip > @@ -38,6 +48,8 @@ > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* > Accept: text/html, text/plain, text/sgml, */*;q=0.01 > Apache > +BBBB > +CCCCf > Cannot packet local networks > Checksum for data failed > Connection: Keep-Alive > @@ -50,6 +62,7 @@ > Dns flooding target > Error communicating with website > Error: %s > +F;50 > FreeBSD > FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) > FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) > @@ -63,63 +76,37 @@ > Host: %s > Host: %s:80 > Host: %s:80 > -Host: Unknown > Insufficient memory > Invalid IP > Invalid instance or socket > +L[^_] > Location > MAIL FROM:<%s> > Message-ID: <%x.%x.%x@aol.com> > Mime-Version: 1.0 > Operation Success > Operation pending > -POST / HTTP/1.1 > +POST > PPPP > PPPP > PQP1 > PQSP > -Ph $ > -Ph ' > -Ph B > -Ph B > -Ph J > -Ph J > -Ph+) > -Ph:( > -Ph>( > -PhA' > -PhA' > -PhD' > -PhD' > -PhG' > -PhG' > -PhG( > -PhJ' > -PhW( > -PhW) > -Ph`$ > -Phg' > Phn/shh//bi > -Phw) > -Pj-j > Port is in use > QUIT > RCPT TO:<%s> > Return-Path: <%c%c%c%c%c%c%c@aol.com> > -Rh5( > -Rh5( > -Rh=) > -RjFh` > SPP1 > Sending packets to target > Server: > Set-Cookie > Size must be less than or equal to 9216 > Subject: %s > +TTP/ > Tcp flooding target > Timed out while receiving data > To: %s > -Transfer-Encoding: chunked > +Tran > UNKNOWN-CHECKSUM-SUCCESSFUL > Udp flooding target > Unable to bind socket > @@ -135,9 +122,22 @@ > User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) > User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) > XXXXX<Ot > -\WVS > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > _DYNAMIC > _GLOBAL_OFFSET_TABLE_ > +_Jv_RegisterClasses > __bss_start > __deregister_frame_info > __eof__ > @@ -155,69 +155,60 @@ > bcopy > begin 655 .a > bind > -bzero > -close > connect > ctime > dup2 > environ > execl > -exit > fclose > fcntl > +feof > +ferror > fgetc > fgets > find / -type f > fopen > fork > -fprintf > +fputs > fread > free > fseek > ftell > +g: c > gethostbyname > getpid > hBLE*h*GOB > hGGGG > http:// > +hunk > inet_addr > inet_ntoa > -j0h` > -j5h(( > -jqh` > -jqh` > -libc.so.4 > +libc.so.5 > malloc > memcpy > memset > mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s > -open > +nkno > +odin > pclose > popen > -printf > -rand > -read > recv > recvfrom > remove > rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; > select > sendto > +sfer > signal > -sleep > -snprintf > socket > -sprintf > srand > strcasecmp > strchr > strcmp > strcpy > strdup > -strlen > -strncmp > strtok > -time > +t: U > tolower > usleep > vsnprintf > @@ -225,3 +216,4 @@ > waitpid > webmaster@mydomain.com > write > +|[^_] > > On Fri, 28 Jun 2002, Brett Glass wrote: > > > At 05:58 PM 6/28/2002, Jonas M Luster wrote: > > > > >This seems to be a different source than the one, the binary was > > >compiled from. The binary uses a lynx version string while this one > > >uses User-Agent: Mozilla/4.75 [en] instead. > > > > Aha! Perhaps the worm's author was seeking to mislead Domas, and > > others, about what it did and how. > > > > --Brett > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Colin Faber (303) 736-5160 fpsn.net, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D1D0AA3.EAA3132C>