From owner-freebsd-questions Mon Jul 1 10:58: 6 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2067137B400 for ; Mon, 1 Jul 2002 10:58:03 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE31443E09 for ; Mon, 1 Jul 2002 10:58:01 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.4/8.12.4) with ESMTP id g61HvxtD048790; Mon, 1 Jul 2002 18:57:59 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.4/8.12.4/Submit) id g61HvsF3048789; Mon, 1 Jul 2002 18:57:54 +0100 (BST) Date: Mon, 1 Jul 2002 18:57:54 +0100 From: Matthew Seaman To: Brian McCann Cc: "'FBSDQ'" Subject: Re: Apache Worm Comments??? Message-ID: <20020701175754.GA48685@happy-idiot-talk.infracaninophi> References: <000801c22123$170ec0d0$2e00a8c0@dogbert> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000801c22123$170ec0d0$2e00a8c0@dogbert> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jul 01, 2002 at 01:16:51PM -0400, Brian McCann wrote: > Does anyone know how you can tell if you have the worm or not? Also, > will simply uninstalling and re-installing Apache clean the worm? I > assume it would...but I'm curious what others think. http://www.geocrawler.com/archives/3/169/2002/6/0/9067274/ will tell you everything you need to know about the worm. Signs of infection are: Presence of files /tmp/.a /tmp/.uua Open port 2001 (wizard) netstat -a will show, amongst other data: udp4 0 0 *.wizard *.* Signs of being scanned by the worm are requests like this in your httpd-access.log: 172.16.159.57 - - [29/Jun/2002:15:06:41 -0400] "GET / HTTP/1.1" 400 378 with corresponding messages in your httpd-error.log: [Sat Jun 29 15:06:41 2002] [error] [client 172.16.159.57] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / To clean the worm, kill the apache processes, kill -9 the /tmp/.a process: ps -ax | grep /tmp/.a | awk '{ print $1 }' | xargs kill -9 then upgrade apache. As a stop-gap to prevent your system infecting others until you can upgrade to an immune version of apache, mount your /tmp partition noexec or create unwritable empty files to block the worm: rm -f /tmp/.a /tmp/.uua touch /tmp/.a /tmp/.uua chown root:wheel /tmp/.a /tmp/.uua chmod 0 /tmp/.a /tmp/.uua Nb. This is not a fix. Your apache processes can still be subverted by the worm. It just stops your system spreading the worm any further. Chances are some idiot will "improve" the worm and make this advice ineffectual sooner or later. Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message