Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 1 Jul 2002 18:57:54 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Brian McCann <bjm1287@ritvax.rit.edu>
Cc:        "'FBSDQ'" <questions@FreeBSD.ORG>
Subject:   Re: Apache Worm Comments???
Message-ID:  <20020701175754.GA48685@happy-idiot-talk.infracaninophi>
In-Reply-To: <000801c22123$170ec0d0$2e00a8c0@dogbert>
References:  <MIEPLLIBMLEEABPDBIEGKEFGCEAA.barbish@a1poweruser.com> <000801c22123$170ec0d0$2e00a8c0@dogbert>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jul 01, 2002 at 01:16:51PM -0400, Brian McCann wrote:
> Does anyone know how you can tell if you have the worm or not?  Also,
> will simply uninstalling and re-installing Apache clean the worm?  I
> assume it would...but I'm curious what others think.

http://www.geocrawler.com/archives/3/169/2002/6/0/9067274/

will tell you everything you need to know about the worm.  Signs of
infection are:

    Presence of files
       /tmp/.a
       /tmp/.uua
    Open port 2001 (wizard)
       netstat -a will show, amongst other data:
       udp4       0      0  *.wizard               *.*

Signs of being scanned by the worm are requests like this in your
httpd-access.log:

      172.16.159.57 - - [29/Jun/2002:15:06:41 -0400] "GET / HTTP/1.1" 400 378

with corresponding messages in your httpd-error.log:

      [Sat Jun 29 15:06:41 2002] [error] [client 172.16.159.57] client sent 
HTTP/1.1 request without hostname (see RFC2616 section 14.23): / 

To clean the worm, kill the apache processes, kill -9 the /tmp/.a process:

      ps -ax | grep /tmp/.a | awk '{ print $1 }' | xargs kill -9

then upgrade apache.  As a stop-gap to prevent your system infecting
others until you can upgrade to an immune version of apache, mount
your /tmp partition noexec or create unwritable empty files to block
the worm:

      rm -f /tmp/.a /tmp/.uua
      touch /tmp/.a /tmp/.uua
      chown root:wheel /tmp/.a /tmp/.uua
      chmod 0 /tmp/.a /tmp/.uua

Nb.  This is not a fix.  Your apache processes can still be subverted
by the worm.  It just stops your system spreading the worm any
further.  Chances are some idiot will "improve" the worm and make this
advice ineffectual sooner or later.

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
Tel: +44 1628 476614                                  Marlow
Fax: +44 0870 0522645                                 Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020701175754.GA48685>