lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20020914033742.GA5022@sigourney.mirizma.org>
From: solareclipse at phreedom.org (Solar Eclipse)
Subject: OpenSSL Worm ?

On Fri, Sep 13, 2002 at 07:54:08PM -0400, Jonathan Rickman wrote:
> On Fri, 13 Sep 2002, EPiC wrote:
> 
> > Here is the apache one that is going around right now..
> >
> > check for /tmp/.bugtraq and .bugtraq.c
> >
> > http://dammit.lt/apache-worm/apache-worm.c
> 
> Old news.
> 
> http://online.securityfocus.com/archive/1/279633

New news.

There is a new apache worm, based on the scalper worm from June.

The new variant has a new exploit section and targets Apache/SSL
servers, exploiting the recent vulnerability in OpenSSL 0.6.9d.

The exploit works on Linux servers running the following distributions:

struct archs {
    char *os;
    char *apache;
    int func_addr;
} architectures[] = {
    {"Gentoo", "", 0x08086c34},
    {"Debian", "1.3.26", 0x080863cc},
    {"Red-Hat", "1.3.6", 0x080707ec},
    {"Red-Hat", "1.3.9", 0x0808ccc4},
    {"Red-Hat", "1.3.12", 0x0808f614},
    {"Red-Hat", "1.3.12", 0x0809251c},
    {"Red-Hat", "1.3.19", 0x0809af8c},
    {"Red-Hat", "1.3.20", 0x080994d4},
    {"Red-Hat", "1.3.26", 0x08161c14},
    {"Red-Hat", "1.3.23", 0x0808528c},
    {"Red-Hat", "1.3.22", 0x0808400c},
    {"SuSE", "1.3.12", 0x0809f54c},
    {"SuSE", "1.3.17", 0x08099984},
    {"SuSE", "1.3.19", 0x08099ec8},
    {"SuSE", "1.3.20", 0x08099da8},
    {"SuSE", "1.3.23", 0x08086168},
    {"SuSE", "1.3.23", 0x080861c8},
    {"Mandrake", "1.3.14", 0x0809d6c4},
    {"Mandrake", "1.3.19", 0x0809ea98},
    {"Mandrake", "1.3.20", 0x0809e97c},
    {"Mandrake", "1.3.23", 0x08086580},
    {"Slackware", "1.3.26", 0x083d37fc},
    {"Slackware", "1.3.26",0x080b2100}
};

But this doesn't mean that other Linux distribution can't be added.

The worm leaves no entry in httpd.log and does not crash Apache.
After exploiting the server, it uploads its source as /tmp/.bugtraq.c
and compiles it as /tmp/.bugtraq

The kiddies are surely having fun at the moment.


Solar Eclipse

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ