[PLUG] [plhofmei at zionlth.org: Fwd: bugtraq.c httpd apache ssl attack]
D. Cooper Stevenson
cooper at linux-enterprise.net
Fri Sep 13 19:36:53 UTC 2002
Phillip;
More information on this...
''It is an 'agent' worm (as his parent, mr. Apache Worm), and can be
controlled / instructed to do a UDP Flood, TCP Flood, DNS Flood, other
goodies including command execution on infected system. The source is
found in /tmp/.bugtraq.c ... and the comments are in english now :)''
Sorry for incorrectly reffering to you as Stafford.
-Cooper
On Fri, Sep 13, 2002 at 12:29:32PM -0700, D. Cooper Stevenson wrote:
> Stafford;
>
> I just performed research on this. Here's your answer:
>
> This attack is a variation of the GOBBLES exploit and affects Apache servers thro ugh v. 1.3.26 according to this sight:
>
> http://packetstorm.decepticons.org/filedesc/apache-worm.c.html
>
> As this is a variation of a known exploit, it was effectively fixed by the Apache team before it was created; the exploit was closed on 21 June 2002 with Apache v . 1.3.26.
>
> Very Truly Yours,
>
> --
> ______________________________________________________
> Cooper Stevenson |cooper at metasource.us
> UNIX/Linux Consultant |PH: (541)791-1322
> MetaSource Technologies |www.metasource.us
> ------------------------------------------------------
>
> On Fri, Sep 13, 2002 at 10:47:05AM -0700, Stafford A. Rau wrote:
> > Here's more info about what looks to be a modssl compromise.
> >
> > --Stafford
> >
> > ----- Forwarded message from Phillip Hofmeister <plhofmei at zionlth.org> -----
> >
> > Date: Fri, 13 Sep 2002 13:25:28 -0400
> > From: Phillip Hofmeister <plhofmei at zionlth.org>
> > To: debian-security at lists.debian.org
> > Subject: Fwd: bugtraq.c httpd apache ssl attack
> > Message-ID: <20020913172528.GA12508 at zionlth.org>
> > User-Agent: Mutt/1.4i
> > X-Mailing-List: <debian-security at lists.debian.org> archive/latest/8890
> >
> > Even through we are not mentioned are we vulnerable to this attack?
> >
> > ----- Forwarded message from Fernando Nunes <fmcn at netcabo.pt> -----
> >
> > Envelope-to: plhofmei at zionlth.org
> > Delivery-date: Fri, 13 Sep 2002 13:20:23 -0400
> > Mailing-List: contact bugtraq-help at securityfocus.com; run by ezmlm
> > Precedence: bulk
> > List-Id: <bugtraq.list-id.securityfocus.com>
> > List-Post: <mailto:bugtraq at securityfocus.com>
> > List-Help: <mailto:bugtraq-help at securityfocus.com>
> > List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
> > List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
> > Delivered-To: mailing list bugtraq at securityfocus.com
> > Delivered-To: moderator for bugtraq at securityfocus.com
> > Date: 13 Sep 2002 13:55:17 -0000
> > X-Mailer: MIME-tools 5.411 (Entity 5.404)
> > From: Fernando Nunes <fmcn at netcabo.pt>
> > To: bugtraq at securityfocus.com
> > Subject: bugtraq.c httpd apache ssl attack
> >
> >
> >
> > I am using RedHat 7.3 with Apache 1.3.23. Someone used the
> > program "bugtraq.c" to explore an modSSL buffer overflow to get access to
> > a shell. The attack creates a file named "/tmp/.bugtraq.c" and compiles it
> > using gcc. The program is started with another computer ip address as
> > argument. All computer files that the user "apache" can read are exposed.
> > The program attacks the following Linux distributions:
> >
> > Red-Hat: Apache 1.3.6,1.3.9,1.3.12,1.3.19,1.3.20,1.3.22,1.3.23,1.3.26
> > SuSe: Apache 1.3.12,1.3.17,1.3.19,1.3.20,1.3.23
> > Mandrake: 1.3.14,1.3.19
> > Slakware: Apache 1.3.26
> >
> > Regards
> > Fernando Nunes
> > Portugal
> >
> >
> > ----- End forwarded message -----
> >
> > --
> > Phil
> >
> > PGP/GPG Key:
> > http://www.zionlth.org/~plhofmei/
> > wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import
> >
> > XP Source Code:
> >
> > #include <win2k.h>
> > #include <extra_pretty_things_with_bugs.h>
> > #include <more_bugs.h>
> > #include <require_system_activation.h>
> > #include <phone_home_every_so_often.h>
> > #include <remote_admin_abilities_for_MS.h>
> > #include <more_restrictive_EULA.h>
> > #include <sell_your_soul_to_MS_EULA.h>
> > //os_ver="Windows 2000"
> > os_ver="Windows XP"
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request at lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster at lists.debian.org
> >
> > ----- End forwarded message -----
> >
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
>
> --
> ______________________________________________________
> Cooper Stevenson |cooper at metasource.us
> UNIX/Linux Consultant |PH: (541)791-1322
> MetaSource Technologies |www.metasource.us
> ------------------------------------------------------
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
--
______________________________________________________
Cooper Stevenson |cooper at metasource.us
UNIX/Linux Consultant |PH: (541)791-1322
MetaSource Technologies |www.metasource.us
------------------------------------------------------
More information about the PLUG
mailing list