6/28/2002 11:15am PST

eEye Digital Security would like to alert you of the existence of an Apache worm that is starting to propagate. We currently have our research team dissecting this worm and an update alert will be issued if needed.

In the meantime, eEye recommends Apache users test their systems utilizing the free Retina® Apache Vulnerability Scanner. The freeware tool may be downloaded directly from the eEye website at:
http://www.eeye.com/html/Research/Tools/apachechunked.html

If your Apache web server is vulnerable, you should immediately implement a patch. Refer to the Apache website: http://httpd.apache.org/


The eEye Digital Security Team

Already been discussed in several post here. I hope everyone has updated or is in the process of updating their Apache already to 1.3.26

Hmm, their research team is dissecting the worm? Not sure how much dissection is required since the C source code is available freely.

I'm not sure the worm itself has been discussed here yet, but the Apache hole certainly has.

Guess someone's vulnerability turns into anothers opportunity.

Upgrading to the latest Apache would be faster, easier and cheaper.

Originally posted by DizixCom
Hmm, their research team is dissecting the worm? Not sure how much dissection is required since the C source code is available freely.

I'm not sure the worm itself has been discussed here yet, but the Apache hole certainly has.


Scalp.c is freely available, however the worm is a compiled binary and the source for it is not available.

Definately patch up and DON'T WAIT. I happen to know for a fact that people are exploting this on operating systems that are not publicly known as vulnerable. So if you're running redhat linux and secfocus says it's only bsd, DO NOT think you are safe. Upgrade and do it now!

Scalp.c is freely available, however the worm is a compiled binary and the source for it is not available.You may wish to view this: http://dammit.lt/apache-worm/apache-worm.c

Yep, just saw it myself. I was going on yesterday's news. :)

Gotta love the open source community, even their worms are freely available before release! :)

So... its been a few days. I still see a whole swack of pre 1.3.26 servers out there... have *you* patched your Apache yet?

A reminder of why...

(snip from Security UPDATE [Security-UPDATE@list.winnetmag.com])

One user, Domas Mituzas, captured the worm in a honeypot system and
analyzed it, revealing several aspects of the worm's activity. The
worm spreads by scanning for other vulnerable Apache servers. It also
contains a command interface that listens on UDP port 2001 and lets
the worm be instructed to perform Distributed Denial of Service (DDoS)
attacks against specified targets. Shortly after Mituzas posted the
worm's binary executables to the Web, he received the complete source
code for the worm through email and subsequently posted that code to
the Web as well.
http://dammit.lt/apache-worm

The problem is very serious because approximately 50 million Apache
Web servers operate on the Internet. The fact that many vendors, such
as Dell, have used Apache code to build Web management interfaces into
their various network-management products compounds the problem.

The Computer Emergency Response Team (CERT) issued an advisory
(CA-2002-17) about the vulnerability, which is available at the first
URL below. The Apache team has released updated software that helps
protect 64-bit and 32-bit versions and recommends that all users
upgrade to Apache 2.0.39 or Apache 1.3.26. Some users might be relying
on third-party patches to help correct the matter. However, not all of
those third-party patches address the complete scope of the
vulnerabilities. Therefore, I urge users to immediately obtain and
install patched code directly from the Apache Software Foundation.
http://www.cert.org/advisories/CA-2002-17.html
http://httpd.apache.org/info/security_bulletin_20020620.txt

all patched up here as of a week or so ago. I personally always try to err on the side of paranoid when it comes to things such as this. We were patched when it was a 64 bit issue and little else. A day or so afterwards suddenly it was a serious issue. By then it was business as usual again. :)

Greg Moore

We had a server hit almost on the day the news of this worm was released. Data was directed at Apache through a webmail port:
HTTP/1.1 200 OK
Date: Tue, 25 Jun 2002 07:45:20 GMT
Server: Apache/1.3.22 (Unix) (Red-Hat/Linux) FrontPage/5.0.2.2623 mod_ssl/2.8.5 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 mod_gzip/1.3.19.1a mod_throttle/3.1.2
X-Powered-By: PHP/4.0.6
Expires: Wed, 11 Nov 1998 11:11:11 GMT
Cache-Control: no-cache
Cache-Control: must-revalidate
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked

Apache stores the stream of data in its temp directories until the hard drive fills up. Luckily we noticed it before the HD failed.

Originally posted by NexDog
We had a server hit almost on the day the news of this worm was released. Data was directed at Apache through a webmail port:


Apache stores the stream of data in its temp directories until the hard drive fills up. Luckily we noticed it before the HD failed.
Update to Apache 1.3.26!!!!!!!

We are. :)