http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html

We had one server get the worm but it never did any thing. We still reformated the server. The server was up todate on Apache and every thing. The server was updated 2 days before the worm came out as well.

So you may just want to look in your /tmp dir if your on FreeBSD to make sure you don't have this little bug.. It should be easy to remove but we took no chance on it.. :)

Just look for: /tmp/.uua or /tmp/.a if they are there remove them.

Thanks Mate.

I didn't find them in my /tmp but appreciate your taking the time to let us know.

We BSD lovers should stick together!! :love:

;)

It is good for the FreeBSD community to stick together. Maybe we should have a thread here where we post issues of urgent importance, and we can just subscribe to it..?

Re this issue, it seems that only 1.x versions prior to 1.3.26 are affected:

http://securityresponse.symantec.com/avcenter/security/Content/2049.html

For Apache versions 1.2.2 through 1.3.24, this vulnerability may allow remote attackers to execute arbitrary code on Windows platforms. In addition, Apache has reported that a similar attack may allow the execution of arbitrary code on both 32-bit and 64-bit UNIX-based systems.

Which seems to make sense, since its a worm that exploits the specific vulnerability (chunk-encoded HTTP requests) that was addressed by 1.3.26...

I agree with mwatkins. The symantec alert is dated June 28 2002 and last updated July 1 2002. They mention no Apache version numbers and claim the exploit is due to the chunk encoding stack overflow vuln that 1.3.26 addressed. I'm not sure why they targetted FreeBSD in the release when it's actually an Apache vuln, but 1.3.26 is patched against the chunk encoding vuln that this worm apparently exploits.

I'm all for a FreeBSD thread too, although I may forget about it due to the very few vulns found in the OS ( http://www.freebsd.org/security ).

The worm specifically targetted Apache running on FreeBSD which is why they mention it specifically. Certainly it could exist for any platform running Apache prior to 1.3.26, but the overflow code embedded in this particular worm would only execute on FreeBSD.

BTW, there really isn't any way this could have infected a machine running 1.3.26 so it must have been there prior to the upgrade.

DizixCom, yea it could of been.. Maybe they did know about it yet. From the date on symantec we did the update 2 days before the worm came out.. That was the only odd thing. But it could of been around a few days before they got it..