Results 1 to 13 of 13
  1. #1
    Join Date
    Apr 2001
    Location
    St. Louis, MO
    Posts
    2,508

    Apache Worm 'Early Warning' Notification

    6/28/2002 11:15am PST

    eEye Digital Security would like to alert you of the existence of an Apache worm that is starting to propagate. We currently have our research team dissecting this worm and an update alert will be issued if needed.

    In the meantime, eEye recommends Apache users test their systems utilizing the free Retina® Apache Vulnerability Scanner. The freeware tool may be downloaded directly from the eEye website at:
    http://www.eeye.com/html/Research/To...hechunked.html

    If your Apache web server is vulnerable, you should immediately implement a patch. Refer to the Apache website: http://httpd.apache.org/


    The eEye Digital Security Team
    Mike @ Xiolink.com
    http://www.xiolink.com 1-877-4-XIOLINK
    Advanced Managed Microsoft Hosting
    "Your data... always within reach"

  2. #2
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,779
    Already been discussed in several post here. I hope everyone has updated or is in the process of updating their Apache already to 1.3.26

  3. #3
    Join Date
    Dec 2001
    Location
    Detroit, MI
    Posts
    1,067
    Hmm, their research team is dissecting the worm? Not sure how much dissection is required since the C source code is available freely.

    I'm not sure the worm itself has been discussed here yet, but the Apache hole certainly has.
    <!-- boo! -->

  4. #4
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    Guess someone's vulnerability turns into anothers opportunity.

    Upgrading to the latest Apache would be faster, easier and cheaper.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  5. #5
    Originally posted by DizixCom
    Hmm, their research team is dissecting the worm? Not sure how much dissection is required since the C source code is available freely.

    I'm not sure the worm itself has been discussed here yet, but the Apache hole certainly has.

    Scalp.c is freely available, however the worm is a compiled binary and the source for it is not available.

    Definately patch up and DON'T WAIT. I happen to know for a fact that people are exploting this on operating systems that are not publicly known as vulnerable. So if you're running redhat linux and secfocus says it's only bsd, DO NOT think you are safe. Upgrade and do it now!

  6. #6
    Join Date
    Dec 2001
    Location
    Detroit, MI
    Posts
    1,067
    Scalp.c is freely available, however the worm is a compiled binary and the source for it is not available.
    You may wish to view this: http://dammit.lt/apache-worm/apache-worm.c
    <!-- boo! -->

  7. #7
    Yep, just saw it myself. I was going on yesterday's news.

  8. #8
    Join Date
    Dec 2001
    Location
    Detroit, MI
    Posts
    1,067
    Gotta love the open source community, even their worms are freely available before release!
    <!-- boo! -->

  9. #9
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    So... its been a few days. I still see a whole swack of pre 1.3.26 servers out there... have *you* patched your Apache yet?

    A reminder of why...

    (snip from Security UPDATE [[email protected]])

    One user, Domas Mituzas, captured the worm in a honeypot system and
    analyzed it, revealing several aspects of the worm's activity. The
    worm spreads by scanning for other vulnerable Apache servers. It also
    contains a command interface that listens on UDP port 2001 and lets
    the worm be instructed to perform Distributed Denial of Service (DDoS)
    attacks against specified targets. Shortly after Mituzas posted the
    worm's binary executables to the Web, he received the complete source
    code for the worm through email and subsequently posted that code to
    the Web as well.
    http://dammit.lt/apache-worm

    The problem is very serious because approximately 50 million Apache
    Web servers operate on the Internet. The fact that many vendors, such
    as Dell, have used Apache code to build Web management interfaces into
    their various network-management products compounds the problem.

    The Computer Emergency Response Team (CERT) issued an advisory
    (CA-2002-17) about the vulnerability, which is available at the first
    URL below. The Apache team has released updated software that helps
    protect 64-bit and 32-bit versions and recommends that all users
    upgrade to Apache 2.0.39 or Apache 1.3.26. Some users might be relying
    on third-party patches to help correct the matter. However, not all of
    those third-party patches address the complete scope of the
    vulnerabilities. Therefore, I urge users to immediately obtain and
    install patched code directly from the Apache Software Foundation.
    http://www.cert.org/advisories/CA-2002-17.html
    http://httpd.apache.org/info/securit...n_20020620.txt
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  10. #10
    Join Date
    Aug 2000
    Location
    Tacoma, Washington
    Posts
    9,576
    all patched up here as of a week or so ago. I personally always try to err on the side of paranoid when it comes to things such as this. We were patched when it was a 64 bit issue and little else. A day or so afterwards suddenly it was a serious issue. By then it was business as usual again.

    Greg Moore
    Former Webhost... now, just a guy.

  11. #11
    Join Date
    Dec 2001
    Location
    Above The Clouds
    Posts
    6,999
    We had a server hit almost on the day the news of this worm was released. Data was directed at Apache through a webmail port:
    HTTP/1.1 200 OK
    Date: Tue, 25 Jun 2002 07:45:20 GMT
    Server: Apache/1.3.22 (Unix) (Red-Hat/Linux) FrontPage/5.0.2.2623 mod_ssl/2.8.5 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 mod_gzip/1.3.19.1a mod_throttle/3.1.2
    X-Powered-By: PHP/4.0.6
    Expires: Wed, 11 Nov 1998 11:11:11 GMT
    Cache-Control: no-cache
    Cache-Control: must-revalidate
    Pragma: no-cache
    Connection: close
    Transfer-Encoding: chunked
    Apache stores the stream of data in its temp directories until the hard drive fills up. Luckily we noticed it before the HD failed.
    Laurence Flynn @ atOmicVPS LTD
    Linux & Windows Cloud Hosting Solutions Powered by OnApp
    Fully Managed [Shared][Reseller][Cloud VPS] [Dedicated]
    Featuring the atOmicSTACK ● Speed ● Performance ● Reliability

  12. #12
    Join Date
    Feb 2002
    Posts
    956
    Originally posted by NexDog
    We had a server hit almost on the day the news of this worm was released. Data was directed at Apache through a webmail port:


    Apache stores the stream of data in its temp directories until the hard drive fills up. Luckily we noticed it before the HD failed.
    Update to Apache 1.3.26!!!!!!!

  13. #13
    Join Date
    Dec 2001
    Location
    Above The Clouds
    Posts
    6,999
    We are.
    Laurence Flynn @ atOmicVPS LTD
    Linux & Windows Cloud Hosting Solutions Powered by OnApp
    Fully Managed [Shared][Reseller][Cloud VPS] [Dedicated]
    Featuring the atOmicSTACK ● Speed ● Performance ● Reliability

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •