Just an fyi for anyone who administers Apache servers...

A new worm has been discovered that attacks Apache servers running on FreeBSD. Apache servers running on Linux are safe for now but it would not be hard to modify the worm to do so...

Upgrade to Apache 1.3.26 fixes the problem... See full article here...

http://www.computerworld.com/securi...1,72373,00.html

Moderator, After posting this here i re-posted it on the Technical and Security Issues forum because that looks like a better place to post it...

Cheers,
Daniel Sheppard:D

Sorry for the double post. I posted this to the dedicated forum by accident...

Just an fyi for anyone who administers Apache servers...

A new worm has been discovered that attacks Apache servers running on FreeBSD. Apache servers running on Linux are safe for now but it would not be hard to modify the worm to do so...

Upgrade to Apache 1.3.26 fixes the problem... See full article here...

http://www.computerworld.com/securitytopics/security/virus/story/0,10801,72373,00.html

Moderator, feel free to post anywhere else you think would be approprate...

Cheers,
Daniel Sheppard :D

You don't say? :spiny:

From the article:
By Joris Evers, IDG News Service
JULY 01, 2002

Not really new is it? Further more I hope that you upgraded sooner if you administrated a box then that you posted this topic

OMG! Bug in IIS!! http://www.eeye.com/html/Research/Advisories/AD20001003.html

:p

That seems to be the same site listed in your profile.

<<MOD NOTE: Post (spam) was removed>>

Yes it is, I work for them. I do tech support, I know the product inside out and I firmly believe it is MUCH better than Cobalt's RaQ.

Originally posted by WebServer007
I knew Linux was too good to be true, open source will fail everyone eventually. In the end, UNIX is best left to SUN's Solaris OS. ...


I guess you haven't heard about the exploit for Solaris iPlanet web server?


Don't fool yourself into trying to find the perfect software. it does not exist. What you want to look for is the number of bugs and problems, and how long it takes for the bugs and problems to be resolved.

Open Source is doing very well in both the relatively small number of security problems, and the rapid response once a problem is found.

wait, so what? I mean really, I agree with your claim that no software is perfect, if it was, there wouldn't be new versions would there? But can you honestly tell me that Linux if more reliable and more secure than Solaris???? The reason people don't use Solaris for web server applications in small to medium sized companies is because the Solaris license is so expensive, but UV Networks has special licensing with SUN and makes it VERY affordable.

gosh!

I'm CONVINCED, off to BUY some of you're wonderfull SOLARIS goodness right this moment!

haha cute, very cute... please excuse my passion for the product I represent and support. The benchmarks speak for themselves.

I actually think it is against forum rules. Anyway, I am pretty sure that apache on Solaris as volnurable (as it is bug in apache itself). And the reason there is no exploite - is due to the fact that there are not as many servers runing solaris this days.

... advertising the company you do tech for is forbidden in here

"I knew linux was too good to be true" :D, i cant even be bothered to waste my time replying to that, it's just hilarity to me.

Originally posted by WebServer007
I knew Linux was too good to be true, open source will fail everyone eventually. In the end, UNIX is best left to SUN's Solaris OS.
You're kidding, right? The vast majority of the non-windows internet runs on open-source software:

BIND
FreeBSD
Linux
Mysql (and postgresql and ... )
Apache
Qmail
djbdns
Sendmail
OpenSSH
OpenSSL

on and on and on and on and on ... the list is endless and new open source programs pop up DAILY. Visit http://www.sourceforge.net for a small glimpse.

The code for the above applications are all available. Please share how open source will fail everyone and how closed source could possibly be any better. How fast are security patches released for *BSD, Linux, and most anything else open source? A whole HECK of a lot faster than for Solaris, I'll tell you that much.

Don't get me wrong, Solaris is a great product -- it's inherently secure, it's robust, it can handle a great deal -- but don't go around claiming the open source community will fail just because FreeBSD or Linux were found to have a vulnerability. Else I'd just have to point you to the 100MB+ security update patch clusters for Solaris.

Also, I downloaded Solaris 8 for i386 from their site before. I think I still have the cd around here. It was free and their license allowed me to use it for commercial purposes. I thought it was pretty nice of them. In the end, I opted for FreeBSD. Why? I find it to be a better product. It won't handle 20 processors and 64GB of RAM, but I'd deal with Solaris if I had to do that...


Oh hey, look what I found:


The UV30 WebBox Internet Server Appliance is based on open
standards and open source technologies,for rapid and seamless
integration into existing computing environments.
Located here: http://www.uvnetworks.com/UV30WebBoxDataSheet.PDF

Also, take a lookie here: http://www.uvnetworks.com/WebBox1000DataSheet.PDF

It uses Apache! Whoa, wait! That's open source!

Funny? I thought so...


[edit, the sequel]
You might want to use the Apache Chunked Scanner from eEye Digital Security on your www.uvnetworks.com site. Your high and mighty server isn't so high and mighty anymore. Might want to invest in Zeus and dump the Apache open source project. Then again, that may do something to your company's bottom line...

Last edit, I promise!
[/edit, the sequel]

Anyway, I think we should get the thread back to the topic. There is a vulnerability. It is known on FreeBSD, OpenBSD & Linux as well as on Windows.
Here is more.
http://httpd.apache.org/info/security_bulletin_20020620.txt
It is fairly old. I saw the worm for FreeBSD about week and a half ago. I also saw this issue on linux causing DOS. I would really recommend to patch the system to anyone who has not done it yet. I think all 2.0.x & 1.3.x are affected, but the latest versions are available.

misplaced passion.

If it's really that good others will adertise for you, or there are other places here you can DIY.

And thanks, it's the miniskirt isn't it, genuine hippo leather y'know :)

Originally posted by WebServer007
haha cute, very cute... please excuse my passion for the product I represent and support. The benchmarks speak for themselves.

Originally posted by WebServer007
I knew Linux was too good to be true, open source will fail everyone eventually.

OT
---
Seems your *super* company's website is running Apache 1.3.12, so it is vulnerable as well. Maybe not to the worm, but to many other exploits targeted at older Apache versions. Sun cannot save you there :)
---

BOT
---
Are there any log entries in Apache's logfiles that show the worm trying to exploit a server? When code red came out (and we still see it), the logfiles were full of the attempts.

- John

Invulnerable:
<hostname/IP> - - [15/Jul/2002:23:03:39 -0500] "HEAD / HTTP/1.1" 200 0 "-" "-"
<hostname/IP> - - [15/Jul/2002:23:03:39 -0500] "POST /x.html HTTP/1.1" 400 284 "-" "-"


Vulnerable:
<hostname/IP> - - [15/Jul/2002:23:58:39 -0400] "HEAD / HTTP/1.1" 200 0 "-" "-"

If anyone has more information, feel free to post it. :)

These are both from Apache running on FreeBSD.

Originally posted by WebServer007
wait, so what? I mean really, I agree with your claim that no software is perfect, if it was, there wouldn't be new versions would there? But can you honestly tell me that Linux if more reliable and more secure than Solaris???? The reason people don't use Solaris for web server applications in small to medium sized companies is because the Solaris license is so expensive, but UV Networks has special licensing with SUN and makes it VERY affordable.


First of all you must be clueless about vulnerabilities, do you subscribe to any security mailing lists? I get more emails about solaris vulnerabilities then anything else, and well the funny thing is there is like 5 undisclosed solaris vulnerabilities that have exploits floating around and about 3 or 4 disclosed vulnerabilites which have yet a patch released....

Your also talking smack about opensource? Well lets see, it takes apache 1 day to put out a patch after the vulnerability went public and it takes months for sun to put out a patch for a disclosed vulnerability.


Get a clue and stop spamming your stupid website.

Apache on Solaris is more stable than Apache on FreeBSD or RedHat, also we upgraded to the latest version, and our web server will be updated shortly. The WebBox isn't perfect but its the closest thing to it in the market.

How do you prove the stability on Solaris is stronger than FreeBSD? I'd love to see some test cases for this.

I have no doubt in my mind that FreeBSD is a better value for webhosting than Solaris, and I am reluctant to believe any claims that Solaris is really any more stable. I love Solaris, but in a shared hosting atmostphere it's rather overkill.

Originally posted by WebServer007
Apache on Solaris is more stable than Apache on FreeBSD or RedHat, also we upgraded to the latest version, and our web server will be updated shortly. The WebBox isn't perfect but its the closest thing to it in the market.

Do you have anything to back that up? I'd love to see proof that apache is more stable in solaris then it is on FreeBSD.

The WebBox isn't perfect but its the closest thing to it in the market.

^^^ I beg to differ, i think anyone reading this would prefer to use one of our main webservers thats running FreeBSD, recent software, latest apache, etc.

I see servers every day running old versions of Apache. Sigh.

Originally posted by lightnin
OMG! Bug in IIS!! http://www.eeye.com/html/Research/Advisories/AD20001003.html

:p

bug #13,494

If you understood the rick involved in using open source, you would not use it! Why do you think the big hosting companies use huge SUN servers for hosting? Because they want to waste money?

Originally posted by WebServer007
If you understood the rick involved in using open source, you would not use it! Why do you think the big hosting companies use huge SUN servers for hosting? Because they want to waste money?

I think the times are changing. Look at rackshack, not many people can compete with their prices for dedicated servers. I can't say anything about their support since I see someone complaining about them all the time.

Expensive Sun servers are really hard to sell now (Wish I didn't buy so much of their stock) :bawling:

I am sure a Supermicro server with freebsd and apache can perform just as well.

SPAM Originally posted by WebServer007
I knew Linux was too good to be true, open source will fail everyone eventually. In the end, UNIX is best left to SUN's Solaris OS.

That's funny. I used to sell against Sun, and picking on their OS was one of the best ways to win, in any account that had their wits about them. But I digress. Your argument being so flawed and so obviously intended to support SPAM, its not really worth even pointing out that "closed source" systems have as many or more security holes. Here's a Sun sampling:

Number 022 (02.22) - June 6, 2002
{02.22.050} Sol - smnpdx/mibiisa vulnerabilities
Sun has released an advisory indicating that the snmpdx service contains a remotely exploitable format string vulnerability, and that the mibiisa agent contains a remotely exploitable buffer overflow

Number 021 (02.21) - May 30, 2002
{02.21.001} Sol - in.rarpd syserr()/error() overflows and format string vulnerabilities
The in.rarpd service reportedly contains remotely exploitable buffer overflows and format string vulnerabilities in the syserr() and error() functions, allowing an attacker to execute arbitrary code on the system.

Number 013 (02.13) - April 4, 2002
{02.17.011} Sol - admintool -d and PROVIDERS overflows
The admintool utility shipped with Solaris 2.5 through 8 contains buffer overflows in the handling of the -d command-line parameter as well as the 'PROVIDERS' configuration file variable, which could allow a local attacker to execute arbitrary code with root privileges.


And hey, its not just closed source Solaris, but what about all those other closed source applications that run on it? Like ORACLE?

Oracle
Updated: 05 July 2002
1. Oracle mod_plsql v3.0.9.8.2 in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)
Description
a) Potential buffer overflow-related security vulnerabilities exist in the Oracle mod_plsql v3.0.9.8.2 of
the Oracle9iAS, v1.0.2.x. By exploiting excessive string lengths in mod_plsql administration pages, a
knowledgeable and malicious user can use Oracle9iAS v1.0.2.x to gain access to Windows OS
accounts.
b) By attacking the Oracle mod_plsql directory path traversal mechanism using the double-URL
encoding exploit, a knowledgeable and malicious user may be able to access readable OS files that
may provide OS account information, and thereby gain access to the OS and Oracle9iAS.
c) By directly accessing the Oracle mod_plsql gateway configuration web pages, a knowledgeable and
malicious user may remotely administer PL/SQL DADs without requiring authentication if default
passwords for privileged database accounts are not changed in an Oracle9iAS production
environment.

... etc

yada yada yada

Originally posted by WebServer007
If you understood the rick involved in using open source, you would not use it!
Why don't you enlighten us? I don't think you have a clue as to what you are babbling about.

Why do you think the big hosting companies use huge SUN servers for hosting? Because they want to waste money?
Because Sun has good salesmen and because the ones making the equipment decisions aren't getting the whole story. People used to think that if something was free, it was somehow inferior to something you pay for (and pay A LOT). It's quite the opposite and more and more people are starting to realize that. You will too, in time.

This stuff was announced 3 weeks ago

well it might be news to a few people so isn't such a bad thing to post. I was looking at Netcraft earlier and can still see a wide range of servers, even next door to us at NAC, that have some whoefully old versions of apache running.

Greg Moore

Originally posted by WebServer007
Apache on Solaris is more stable than Apache on FreeBSD or RedHat, also we upgraded to the latest version, and our web server will be updated shortly. The WebBox isn't perfect but its the closest thing to it in the market.

Wow. First you spam your site, then you spit on open source. THEN you say that Solaris is better than Redhat or FreeBSD, with no basis or backup to your statement.

You're really hoping to make some friends here aren't you.

Apache on Solaris is no more stable than it is anywhere else. Solaris is no more stable or secure than any other UNIX operating system. Believe me. I manage many of them for one of my clients. They are constantly patching their boxes to keep them up to date. The list of patches applied to their Solaris 2.6 and 2.8 boxes is hundreds of lines long.

And yes, there are several undocumented exploits for solaris floating around.

Please get your facts together and straight before you put your other foot in your mouth.

Brian

Spam has been removed.