From: solareclipse at phreedom.org (Solar Eclipse)
Subject: OpenSSL Worm ?

On Fri, Sep 13, 2002 at 07:54:08PM -0400, Jonathan Rickman wrote:
> On Fri, 13 Sep 2002, EPiC wrote:
> 
> > Here is the apache one that is going around right now..
> >
> > check for /tmp/.bugtraq and .bugtraq.c
> >
> > http://dammit.lt/apache-worm/apache-worm.c
> 
> Old news.
> 
> http://online.securityfocus.com/archive/1/279633

New news.

There is a new apache worm, based on the scalper worm from June.

The new variant has a new exploit section and targets Apache/SSL
servers, exploiting the recent vulnerability in OpenSSL 0.6.9d.

The exploit works on Linux servers running the following distributions:

struct archs {
    char *os;
    char *apache;
    int func_addr;
} architectures[] = {
    {"Gentoo", "", 0x08086c34},
    {"Debian", "1.3.26", 0x080863cc},
    {"Red-Hat", "1.3.6", 0x080707ec},
    {"Red-Hat", "1.3.9", 0x0808ccc4},
    {"Red-Hat", "1.3.12", 0x0808f614},
    {"Red-Hat", "1.3.12", 0x0809251c},
    {"Red-Hat", "1.3.19", 0x0809af8c},
    {"Red-Hat", "1.3.20", 0x080994d4},
    {"Red-Hat", "1.3.26", 0x08161c14},
    {"Red-Hat", "1.3.23", 0x0808528c},
    {"Red-Hat", "1.3.22", 0x0808400c},
    {"SuSE", "1.3.12", 0x0809f54c},
    {"SuSE", "1.3.17", 0x08099984},
    {"SuSE", "1.3.19", 0x08099ec8},
    {"SuSE", "1.3.20", 0x08099da8},
    {"SuSE", "1.3.23", 0x08086168},
    {"SuSE", "1.3.23", 0x080861c8},
    {"Mandrake", "1.3.14", 0x0809d6c4},
    {"Mandrake", "1.3.19", 0x0809ea98},
    {"Mandrake", "1.3.20", 0x0809e97c},
    {"Mandrake", "1.3.23", 0x08086580},
    {"Slackware", "1.3.26", 0x083d37fc},
    {"Slackware", "1.3.26",0x080b2100}
};

But this doesn't mean that other Linux distribution can't be added.

The worm leaves no entry in httpd.log and does not crash Apache.
After exploiting the server, it uploads its source as /tmp/.bugtraq.c
and compiles it as /tmp/.bugtraq

The kiddies are surely having fun at the moment.


Solar Eclipse

Powered by blists - more mailing lists