[26001] in bugtraq
Re: Apache worm in the wild
daemon@ATHENA.MIT.EDU (wink)
Fri Jun 28 17:41:46 2002
Message-ID: <016901c21ecf$0e506ad0$a101000a@Lust>
From: "wink" <wink@deceit.org>
To: "Domas Mituzas" <domas.mituzas@microlink.lt>,
<freebsd-security@freebsd.org>
Cc: <bugtraq@securityfocus.com>, <os_bsd@konferencijos.lt>
Date: Fri, 28 Jun 2002 13:10:05 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Running strings on the binary amongst other things produces an ip address
(12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also:
FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)
I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them
immutable as I didn't see any real error handling on failed i/o operations.
Some other strings not mentioned yet are:
rm -rf /tmp/.a;cat > /tmp/.uua << __eof__;
mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s
that's all i have time for at the moment.
