Re: apache-worm.c

From: Colin Faber (cfaber@fpsn.net)
Date: 06/29/02 

Date: Fri, 28 Jun 2002 19:17:23 -0600
From: Colin Faber <cfaber@fpsn.net>
To: Domas Mituzas <domas.mituzas@microlink.lt>

Domas Hi,

a quick review of my logs show all the way back to Jun 8th

I've also had repeated attempts on different days from a sprint
connection.

[Sat Jun 8 18:11:46 2002] [error] [client 204.117.70.5] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sun Jun 9 03:34:26 2002] [error] [client 204.117.70.5] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed Jun 12 23:45:00 2002] [error] [client 204.117.70.5] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Thu Jun 13 05:36:10 2002] [error] [client 204.117.70.5] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Thu Jun 13 20:29:30 2002] [error] [client 204.117.70.5] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sun Jun 16 19:15:18 2002] [error] [client 204.117.70.5] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

Domas Mituzas wrote:
>
> Then, we can see, that the real worm is slightly modificated, but still,
> it's quite similiar, so we can say it's same origin. Anyway, not too much
> to fool about, we can obviously see some DDoS nature in it. But still,
> there may be more functionality.
>
> Also, after some investigation on normal boxes I saw this worm-like
> activity starting since Jun 25. Is it date of birth? Anyone seeing theese
> lines?
>
> [Fri Jun 28 21:31:51 2002] [error] [client 213.154.128.145] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
>
> Regards,
> Domas Mituzas
> MicroLink Data
>
> midom@flock ~> make apache-worm 2>/dev/null
> cc -O -pipe -march=pentiumpro apache-worm.c -o apache-worm
> midom@flock ~> strings apache-worm | sort > a
> midom@flock ~> strings .a | sort > b
> --- b Sat Jun 29 02:11:44 2002
> +++ a Sat Jun 29 02:11:54 2002
> @@ -1,12 +1,18 @@
> !"#&(+,-./0123456789=>?@ABCDPQ
> + / H
> +$FreeBSD: src/lib/csu/i386-elf/crti.S,v 1.6 2002/05/15 04:19:49 obrien Exp $
> +$FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.5 2002/05/15 04:19:49 obrien Exp $
> %c%s
> %d.%d.%d.%d
> %s <base 1> [base 2] ...
> ,$s'1
> +,[^_]
> +,[^_]
> ----DATA----
> ----EMAILS----
> ----FROM----
> ----SUBJECT----
> +-Enc
> .gov
> .hlp
> /bin
> @@ -21,11 +27,15 @@
> /usr/libexec/ld-elf.so.1
> 12.127.17.71
> 127.0.0.1
> -8$t
> -8/u
> -8/u
> -8/u
> -: u'
> +; u1
> +;tiB
> +< v2
> +<0.t
> +<[^_]
> +<[^_]
> +>F;u
> +>F;u
> +AAAA
> Accept-Charset: iso-8859-1,*,utf-8
> Accept-Charset: iso-8859-1,*,utf-8
> Accept-Encoding: gzip
> @@ -38,6 +48,8 @@
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
> Accept: text/html, text/plain, text/sgml, */*;q=0.01
> Apache
> +BBBB
> +CCCCf
> Cannot packet local networks
> Checksum for data failed
> Connection: Keep-Alive
> @@ -50,6 +62,7 @@
> Dns flooding target
> Error communicating with website
> Error: %s
> +F;50
> FreeBSD
> FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)
> FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
> @@ -63,63 +76,37 @@
> Host: %s
> Host: %s:80
> Host: %s:80
> -Host: Unknown
> Insufficient memory
> Invalid IP
> Invalid instance or socket
> +L[^_]
> Location
> MAIL FROM:<%s>
> Message-ID: <%x.%x.%x@aol.com>
> Mime-Version: 1.0
> Operation Success
> Operation pending
> -POST / HTTP/1.1
> +POST
> PPPP
> PPPP
> PQP1
> PQSP
> -Ph $
> -Ph '
> -Ph B
> -Ph B
> -Ph J
> -Ph J
> -Ph+)
> -Ph:(
> -Ph>(
> -PhA'
> -PhA'
> -PhD'
> -PhD'
> -PhG'
> -PhG'
> -PhG(
> -PhJ'
> -PhW(
> -PhW)
> -Ph`$
> -Phg'
> Phn/shh//bi
> -Phw)
> -Pj-j
> Port is in use
> QUIT
> RCPT TO:<%s>
> Return-Path: <%c%c%c%c%c%c%c@aol.com>
> -Rh5(
> -Rh5(
> -Rh=)
> -RjFh`
> SPP1
> Sending packets to target
> Server:
> Set-Cookie
> Size must be less than or equal to 9216
> Subject: %s
> +TTP/
> Tcp flooding target
> Timed out while receiving data
> To: %s
> -Transfer-Encoding: chunked
> +Tran
> UNKNOWN-CHECKSUM-SUCCESSFUL
> Udp flooding target
> Unable to bind socket
> @@ -135,9 +122,22 @@
> User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
> User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
> XXXXX<Ot
> -\WVS
> +[^_]
> +[^_]
> +[^_]
> +[^_]
> +[^_]
> +[^_]
> +[^_]
> +[^_]
> +[^_]
> +[^_]
> +[^_]
> +[^_]
> +[^_]
> _DYNAMIC
> _GLOBAL_OFFSET_TABLE_
> +_Jv_RegisterClasses
> __bss_start
> __deregister_frame_info
> __eof__
> @@ -155,69 +155,60 @@
> bcopy
> begin 655 .a
> bind
> -bzero
> -close
> connect
> ctime
> dup2
> environ
> execl
> -exit
> fclose
> fcntl
> +feof
> +ferror
> fgetc
> fgets
> find / -type f
> fopen
> fork
> -fprintf
> +fputs
> fread
> free
> fseek
> ftell
> +g: c
> gethostbyname
> getpid
> hBLE*h*GOB
> hGGGG
> http://
> +hunk
> inet_addr
> inet_ntoa
> -j0h`
> -j5h((
> -jqh`
> -jqh`
> -libc.so.4
> +libc.so.5
> malloc
> memcpy
> memset
> mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s
> -open
> +nkno
> +odin
> pclose
> popen
> -printf
> -rand
> -read
> recv
> recvfrom
> remove
> rm -rf /tmp/.a;cat > /tmp/.uua << __eof__;
> select
> sendto
> +sfer
> signal
> -sleep
> -snprintf
> socket
> -sprintf
> srand
> strcasecmp
> strchr
> strcmp
> strcpy
> strdup
> -strlen
> -strncmp
> strtok
> -time
> +t: U
> tolower
> usleep
> vsnprintf
> @@ -225,3 +216,4 @@
> waitpid
> webmaster@mydomain.com
> write
> +|[^_]
>
> On Fri, 28 Jun 2002, Brett Glass wrote:
>
> > At 05:58 PM 6/28/2002, Jonas M Luster wrote:
> >
> > >This seems to be a different source than the one, the binary was
> > >compiled from. The binary uses a lynx version string while this one
> > >uses User-Agent: Mozilla/4.75 [en] instead.
> >
> > Aha! Perhaps the worm's author was seeking to mislead Domas, and
> > others, about what it did and how.
> >
> > --Brett
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message 

-- 
Colin Faber
(303) 736-5160
fpsn.net, Inc.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message