----- Original Message -----
From: "Bill" <bill@organic-earth.com>
To: <slug@nks.net>
Sent: Sunday, June 30, 2002 12:21 AM
Subject: Re: [SLUG] Apache Worm
> On Saturday 29 June 2002 23:51, you wrote:
> > ----- Original Message -----
> > From: "Bill" <bill@organic-earth.com>
> > To: <slug@nks.net>
> > Sent: Saturday, June 29, 2002 3:14 PM
> > Subject: [SLUG] Apache Worm
> >
> > > So what, exactly, does the Apache worm do?
> > >
> > > I am running the advanced extranet version of Apache and the
tripwire.cfg
> > > file has gone missing.
> > >
> > > I got the OpenSSH upgrade made but it doesn't look like I moved fast
> >
> > enough
> >
> > > for the Apache exploit.
> >
> > I thought the current version of the new Apache worm only spread to
> > FreeBSD?
>
> The reports are somewhat unclear as to what is, and what is not, affected.
I
> thought that only 64 bit systems could actually be taken over and that 32
bit
> systems would fail ... but not yield an exploitable advantage except that
> Apache was knocked down. Something about the address space length or
> whatever. The original report said one thing and then there was an
addendum
> that said "Oh wait ... this is worse than we thought."
This initial 64 bit talk was just guesses, the exploit that finally emerged
does claim to work on 32 bit systems. However, the exploit released
publicly only targets BSD, they claim to have a version for Linux, who knows
if it is true. Much of the talk also claims that it will just kill the
child process handling the request, I don't really believe this. Right
before the vulnerability became publicly available, I had a company I help
out sometimes call me and say their web server wasn't working. The server
was up and running, somehow Apache had got killed. No one had logged onto
this system since the last time I logged on, so it wasn't killed manually.
I couldn't find anything in the logs either, or a core dump file anywhere.
Seeing as how I had no way to determine how this process died, I eventually
just restarted it, and it worked fine. Shortly after this the Apache
vulnerability became public. I have been using Apache for years, never has
it died on me before. I don't think it is a coincidence. There have also
been other people on this mailing list reporting the same thing, the Apache
process has totally disappeared. The parent Apache process does run as
root, so the fact that something is killing this worries me. I don't think
we have heard the end of this Apache problem.
>
> I am running Mandrake 8.0 with kernel 2.4.17 and all current patches
> available through MandrakeUpdate applied. According to phpinfo.php, my
> current Apache level is Apache-AdvancedExtranetServer/1.3.22.
>
> If not this worm, what DID cause tripwire to stop running? It says its
> database is missing. When I follow instructions to reconstruct it, it
seems
> to do so and exit politely. But the next email notification is just a
> two-liner telling me that the database can not be found and to rebuild it.
I still doubt you were rooted through this Apache problem, but who knows. I
quick glance at the source code of the worm looks like it is using the
memcpy() BSD vulnerability, so if it was an Apache worm I don't think it was
this one. Of all the files magically disappearing on the system, the
Tripwire database would really worry me! Now it is difficult to tell if
your binaries were replaced. Have you ran chkrootkit?
John Oakes
>
> --
> 12:07am up 4 days, 6:05, 2 users, load average: 0.00, 0.00, 0.00
>
> "I'm thinking of going back to Windows;
> in Linux, none of the viruses seem to work."
>
> http://organic-earth.com
> Organic urban gardening. With photos.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 13:09:11 EDT