Re: Apache 1.3.XX

From: Russell Fulton (R.FULTON@auckland.ac.nz)
Date: 01/31/02


From: Russell Fulton <R.FULTON@auckland.ac.nz>
To: John <johns@tampabay.rr.com>
Date: 01 Feb 2002 10:30:16 +1300

On Thu, 2002-01-31 at 15:22, John wrote:
> Hello list,
>
> I was wondering if anyone has heard about an Apache 1.3.XX bug starting to
> surface. Supposedly it creates a bind shell on TCP 2029 when this code
> executes the payload. The exploit has "7350apache - Apache 1.3.XX remote
> root exploit" in the binary (along with some other stuff that I don't want
> to say on the list). I don't have access to this binary and that's why I am
> curious as to if other people on this list have seen anything lately.
>

Hmmm.... we saw an attack two days ago against an apache server which
consisted of GETs and POST followed by long strings of Xs followed by shell
code. They did not get in so I don't have any other leaving from the attack.
Nor did snort pick up the attack, it did detect various ftp exploits
launched against the box from the same address and that was what drew my
attention to it.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: resolv and dynamic linking to compat libc
    ... > subvert a build of Apache 2.0.39 built with the buggy libc. ... > many servers run it. ... > binary package, be careful! ... Apache is actually a fairly unlikely target for the libc resolver attack, ...
    (FreeBSD-Security)
  • Re: ipfilter traffic blocking and tcpdump snort etc
    ... > Maybee an upgrade of apache would be a good start?. ... Gets me that something as simple as a flood of packets can just ... from the attacking hosts with snort during the packet attack only had the SYN ...
    (freebsd-questions)
  • [Full-Disclosure] Apache::Gallery local webserver compromise, privilege escalation
    ... that, in combination with mod_perl and Apache, provides a powerful and ... get it to load our own malicious shared libraries. ... The one thing that makes this attack difficult is that you'll likely need ... to get /tmp/lib cleared first. ...
    (Full-Disclosure)
  • Apache::Gallery local webserver compromise, privilege escalation
    ... that, in combination with mod_perl and Apache, provides a powerful and ... get it to load our own malicious shared libraries. ... The one thing that makes this attack difficult is that you'll likely need ... to get /tmp/lib cleared first. ...
    (Bugtraq)
  • GLSA200403-04 Multiple security vulnerabilities in Apache 2
    ... A memory leak in mod_ssl allows a remote denial of service attack ... against an SSL-enabled server via plain HTTP requests. ... The Apache HTTP Server Project is an effort to develop and maintain an ... via plain HTTP requests to the SSL port of an SSL-enabled server. ...
    (Bugtraq)