[PLUG] [plhofmei at zionlth.org: Fwd: bugtraq.c httpd apache ssl attack]

D. Cooper Stevenson cooper at linux-enterprise.net
Fri Sep 13 19:36:53 UTC 2002


Phillip;

More information on this...


 ''It is an 'agent' worm (as his parent, mr. Apache Worm), and can be
controlled / instructed to do a UDP Flood, TCP Flood, DNS Flood, other
goodies including command execution on infected system. The source is
found in /tmp/.bugtraq.c ... and the comments are in english now :)''

Sorry for incorrectly reffering to you as Stafford.


-Cooper


On Fri, Sep 13, 2002 at 12:29:32PM -0700, D. Cooper Stevenson wrote:
> Stafford;
> 
> I just performed research on this. Here's your answer:
> 
> This attack is a variation of the GOBBLES exploit and affects Apache servers thro ugh v. 1.3.26 according to this sight:
> 
>   http://packetstorm.decepticons.org/filedesc/apache-worm.c.html
>   
> As this is a variation of a known exploit, it was effectively fixed by the Apache team before it was created; the exploit was closed on 21 June 2002 with Apache v . 1.3.26. 
> 
> Very Truly Yours,
> 
> -- 
> ______________________________________________________
> Cooper Stevenson        |cooper at metasource.us
> UNIX/Linux Consultant   |PH: (541)791-1322
> MetaSource Technologies |www.metasource.us
> ------------------------------------------------------
> 
> On Fri, Sep 13, 2002 at 10:47:05AM -0700, Stafford A. Rau wrote:
> > Here's more info about what looks to be a modssl compromise.
> > 
> > --Stafford
> > 
> > ----- Forwarded message from Phillip Hofmeister <plhofmei at zionlth.org> -----
> > 
> > Date: Fri, 13 Sep 2002 13:25:28 -0400
> > From: Phillip Hofmeister <plhofmei at zionlth.org>
> > To: debian-security at lists.debian.org
> > Subject: Fwd: bugtraq.c httpd apache ssl attack
> > Message-ID: <20020913172528.GA12508 at zionlth.org>
> > User-Agent: Mutt/1.4i
> > X-Mailing-List: <debian-security at lists.debian.org> archive/latest/8890
> > 
> > Even through we are not mentioned are we vulnerable to this attack?
> > 
> > ----- Forwarded message from Fernando Nunes <fmcn at netcabo.pt> -----
> > 
> > Envelope-to: plhofmei at zionlth.org
> > Delivery-date: Fri, 13 Sep 2002 13:20:23 -0400
> > Mailing-List: contact bugtraq-help at securityfocus.com; run by ezmlm
> > Precedence: bulk
> > List-Id: <bugtraq.list-id.securityfocus.com>
> > List-Post: <mailto:bugtraq at securityfocus.com>
> > List-Help: <mailto:bugtraq-help at securityfocus.com>
> > List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
> > List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
> > Delivered-To: mailing list bugtraq at securityfocus.com
> > Delivered-To: moderator for bugtraq at securityfocus.com
> > Date: 13 Sep 2002 13:55:17 -0000
> > X-Mailer: MIME-tools 5.411 (Entity 5.404)
> > From: Fernando Nunes <fmcn at netcabo.pt>
> > To: bugtraq at securityfocus.com
> > Subject: bugtraq.c httpd apache ssl attack
> > 
> > 
> > 
> > I am using RedHat 7.3 with Apache 1.3.23. Someone used the 
> > program "bugtraq.c" to explore an modSSL buffer overflow to get access to 
> > a shell. The attack creates a file named "/tmp/.bugtraq.c" and compiles it 
> > using gcc. The program is started with another computer ip address as 
> > argument. All computer files that the user "apache" can read are exposed.
> > The program attacks the following Linux distributions:
> > 
> > Red-Hat: Apache 1.3.6,1.3.9,1.3.12,1.3.19,1.3.20,1.3.22,1.3.23,1.3.26
> > SuSe: Apache 1.3.12,1.3.17,1.3.19,1.3.20,1.3.23
> > Mandrake: 1.3.14,1.3.19
> > Slakware: Apache 1.3.26
> > 
> > Regards
> > Fernando Nunes
> > Portugal
> > 
> > 
> > ----- End forwarded message -----
> > 
> > -- 
> > Phil
> > 
> > PGP/GPG Key:
> > http://www.zionlth.org/~plhofmei/
> > wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import
> > 
> > XP Source Code:
> > 
> > #include <win2k.h>
> > #include <extra_pretty_things_with_bugs.h>
> > #include <more_bugs.h>
> > #include <require_system_activation.h>
> > #include <phone_home_every_so_often.h>
> > #include <remote_admin_abilities_for_MS.h>
> > #include <more_restrictive_EULA.h>
> > #include <sell_your_soul_to_MS_EULA.h>
> > //os_ver="Windows 2000"
> > os_ver="Windows XP"
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to debian-security-request at lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster at lists.debian.org
> > 
> > ----- End forwarded message -----
> > 
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> 
> -- 
> ______________________________________________________
> Cooper Stevenson        |cooper at metasource.us
> UNIX/Linux Consultant   |PH: (541)791-1322
> MetaSource Technologies |www.metasource.us
> ------------------------------------------------------
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

-- 
______________________________________________________
Cooper Stevenson        |cooper at metasource.us
UNIX/Linux Consultant   |PH: (541)791-1322
MetaSource Technologies |www.metasource.us
------------------------------------------------------




More information about the PLUG mailing list