Re: Apache worm in the wild

From: wink (wink@deceit.org)
Date: 06/28/02

• Previous message: Mihai (Cop) Moldovanu: "Re: Apache worm in the wild"
• In reply to: Domas Mituzas: "Apache worm in the wild"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "wink" <wink@deceit.org>
To: "Domas Mituzas" <domas.mituzas@microlink.lt>, <freebsd-security@freebsd.org>
Date: Fri, 28 Jun 2002 13:10:05 -0500

Running strings on the binary amongst other things produces an ip address
(12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also:

FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)

I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them
immutable as I didn't see any real error handling on failed i/o operations.
Some other strings not mentioned yet are:

rm -rf /tmp/.a;cat > /tmp/.uua << __eof__;
mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s

that's all i have time for at the moment.

---

• Previous message: Mihai (Cop) Moldovanu: "Re: Apache worm in the wild"
• In reply to: Domas Mituzas: "Apache worm in the wild"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Apache worm in the wild ... Running strings on the binary amongst other things produces an ip address ... that resolves to dns-rs1.bgtmo.ip.att.net, and also: ... immutable as I didn't see any real error handling on failed i/o operations. ... (FreeBSD-Security) Re: Apache worm in the wild ... Running strings on the binary amongst other things produces an ip address ... that resolves to dns-rs1.bgtmo.ip.att.net, and also: ... immutable as I didn't see any real error handling on failed i/o operations. ... (FreeBSD-Security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2002-06