RE: Apache worm in the wild

From: Elan Hasson (elan@daryl.org)
Date: 07/01/02

• Next message: Joao Schim: "Re: SSH Patches"
• Previous message: bugtraq-help@securityfocus.com: "ezmlm response"
• In reply to: Brett Glass: "Re: Apache worm in the wild"
• Next in thread: Brett Glass: "Re: Apache worm in the wild"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Elan Hasson" <elan@daryl.org>
To: "Brett Glass" <brett@lariat.org>, <flynn@energyhq.homeip.net>, "Domas Mituzas" <domas.mituzas@microlink.lt>
Date: Mon, 1 Jul 2002 05:06:33 -0400

Dunno if anyone saw this:

http://news.com.com/2100-1001-940585.html

-----Original Message-----
From: Brett Glass [mailto:brett@lariat.org]
Sent: Friday, June 28, 2002 1:27 PM
To: flynn@energyhq.homeip.net; Domas Mituzas
Cc: freebsd-security@FreeBSD.ORG; bugtraq@securityfocus.com;
os_bsd@konferencijos.lt
Subject: Re: Apache worm in the wild

At 05:38 AM 6/28/2002, flynn@energyhq.homeip.net wrote:

>I wonder how many variants of this kind of thing we'll see, but I assume
most people
>running Apache have upgraded already.

Upgrading Apache may prevent your system from being taken over,
but it doesn't necessarily prevent it from being DoSed. One of
my Apache servers, which had been upgraded to 2.0.39, went berserk
on June 25th, spawning the maximum number of child processes and
then locking up. The server did not appear to have been infiltrated,
but the logs were filled with megabytes of messages indicating that
the child processes were repeatedly trying to free chunks of memory
that were already free. Probably the result of an attempted exploit
going awry. (It could have been aimed at Linux, or at a different
version of Apache; can't tell. But clearly it got somewhere, though
not all the way.)

--Brett

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

• Next message: Joao Schim: "Re: SSH Patches"
• Previous message: bugtraq-help@securityfocus.com: "ezmlm response"
• In reply to: Brett Glass: "Re: Apache worm in the wild"
• Next in thread: Brett Glass: "Re: Apache worm in the wild"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Ports after upgrade ... You should try to use portsnap instead of cvsup which is in the base since 6.2. ... Your problem looks like a portupgrade mistake. ... After upgrading portupgrade you should rebuild apache with something like that: ... (freebsd-questions) Re: How to manually patch/configure/compile Apache 2.2.4s mod_autoindex module? ... Apache 2.2.4, which apart from some hassles when upgrading the PHP4 ... this user, I had allowed directory listings, with fancyindexing ... Overriding the Default Ports Directories ... (freebsd-questions) Re: Apache worm in the wild ... Upgrading Apache may prevent your system from being taken over, ... the child processes were repeatedly trying to free chunks of memory ... (FreeBSD-Security) Re: Apache worm in the wild ... Upgrading Apache may prevent your system from being taken over, ... the child processes were repeatedly trying to free chunks of memory ... (FreeBSD-Security) Re: Apache worm in the wild ... Upgrading Apache may prevent your system from being taken over, ... the child processes were repeatedly trying to free chunks of memory ... (Bugtraq)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2002-07