Re: Apache worm in the wild
From: flynn@energyhq.homeip.netDate: 06/28/02
- Previous message: bugzilla@redhat.com: "[RHSA-2002:127-18] Updated OpenSSH packages fix various security issues"
- Next in thread: Brett Glass: "Re: Apache worm in the wild"
- Next in thread: Mihai (Cop) Moldovanu: "Re: Apache worm in the wild"
- Reply: Brett Glass: "Re: Apache worm in the wild"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Jun 2002 13:38:34 +0200 From: flynn@energyhq.homeip.net To: Domas Mituzas <domas.mituzas@microlink.lt>
On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote:
Hi,
> our honeypot systems trapped new apache worm(+trojan) in the wild. It
> traverses through the net, and installs itself on all vulnerable apaches
> it finds. No source code available yet, but I put the binaries into public
Wow, an interesting puppy. I just ran it through dasm to get the
assembler dump. The executable is not even stripped, and makes an
interesting read, as it gives lots of information. It looks like it was
either coded by someone with little experience or in a hurry, and there
are several system calls like this one:
Possible reference to string:
"/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/
tmp/.a %s;exit;"
I wonder how many variants of this kind of thing we'll see, but I assume most people
running Apache have upgraded already.
Cheers,
--
Miguel Mendez - flynn@energyhq.homeip.net
GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt
EnergyHQ :: http://www.energyhq.tk
Of course it runs NetBSD!
- application/pgp-signature attachment: stored
- Previous message: bugzilla@redhat.com: "[RHSA-2002:127-18] Updated OpenSSH packages fix various security issues"
- Next in thread: Brett Glass: "Re: Apache worm in the wild"
- Next in thread: Mihai (Cop) Moldovanu: "Re: Apache worm in the wild"
- Reply: Brett Glass: "Re: Apache worm in the wild"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
