Results 1 to 7 of 7
  1. #1
    Join Date
    Dec 2000
    Location
    Indianapolis, IN
    Posts
    1,748

    FreeBSD.Scalper.Worm, even with apache 1.3.26

    http://securityresponse.symantec.com...lper.worm.html

    We had one server get the worm but it never did any thing. We still reformated the server. The server was up todate on Apache and every thing. The server was updated 2 days before the worm came out as well.

    So you may just want to look in your /tmp dir if your on FreeBSD to make sure you don't have this little bug.. It should be easy to remove but we took no chance on it..

    Just look for: /tmp/.uua or /tmp/.a if they are there remove them.

  2. #2
    Join Date
    Sep 2001
    Location
    Madras
    Posts
    738
    Thanks Mate.

    I didn't find them in my /tmp but appreciate your taking the time to let us know.

    We BSD lovers should stick together!!
    Offering Managed Servers - for an exclusive clientèle who value uptime, caring support and superior technology.

  3. #3
    Join Date
    Dec 2000
    Location
    Indianapolis, IN
    Posts
    1,748

  4. #4
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    It is good for the FreeBSD community to stick together. Maybe we should have a thread here where we post issues of urgent importance, and we can just subscribe to it..?

    Re this issue, it seems that only 1.x versions prior to 1.3.26 are affected:

    http://securityresponse.symantec.com...tent/2049.html

    For Apache versions 1.2.2 through 1.3.24, this vulnerability may allow remote attackers to execute arbitrary code on Windows platforms. In addition, Apache has reported that a similar attack may allow the execution of arbitrary code on both 32-bit and 64-bit UNIX-based systems.
    Which seems to make sense, since its a worm that exploits the specific vulnerability (chunk-encoded HTTP requests) that was addressed by 1.3.26...

  5. #5
    Join Date
    Apr 2001
    Location
    Palm Beach, FL
    Posts
    1,095
    I agree with mwatkins. The symantec alert is dated June 28 2002 and last updated July 1 2002. They mention no Apache version numbers and claim the exploit is due to the chunk encoding stack overflow vuln that 1.3.26 addressed. I'm not sure why they targetted FreeBSD in the release when it's actually an Apache vuln, but 1.3.26 is patched against the chunk encoding vuln that this worm apparently exploits.

    I'm all for a FreeBSD thread too, although I may forget about it due to the very few vulns found in the OS ( http://www.freebsd.org/security ).
    Alex Llera
    Professional Server Management
    FreeBSD|Linux|HSphere|Cpanel|Plesk

  6. #6
    Join Date
    Dec 2001
    Location
    Detroit, MI
    Posts
    1,067
    The worm specifically targetted Apache running on FreeBSD which is why they mention it specifically. Certainly it could exist for any platform running Apache prior to 1.3.26, but the overflow code embedded in this particular worm would only execute on FreeBSD.

    BTW, there really isn't any way this could have infected a machine running 1.3.26 so it must have been there prior to the upgrade.
    <!-- boo! -->

  7. #7
    Join Date
    Dec 2000
    Location
    Indianapolis, IN
    Posts
    1,748
    DizixCom, yea it could of been.. Maybe they did know about it yet. From the date on symantec we did the update 2 days before the worm came out.. That was the only odd thing. But it could of been around a few days before they got it..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •