[27050] in bugtraq
RE: bugtraq.c httpd apache ssl attack
daemon@ATHENA.MIT.EDU (Sandu Mihai Eduard)
Tue Sep 17 13:19:12 2002
Reply-To: <mihai.sandu@kpnqwest.ro>
From: "Sandu Mihai Eduard" <mihai.sandu@kpnqwest.ro>
To: <adamkuj@gatordog.com>, <bugtraq@securityfocus.com>
Date: Mon, 16 Sep 2002 19:13:02 +0300
Message-ID: <KCEHKILNFFNMBOLBBLCKEEHDJGAA.mihai.sandu@kpnqwest.ro>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <20020913145015.J11388-100000@mccoysworld.com>
The worm is an AGENT, because it accepts commands throughout the global P2P
network created ad-hoc between its instances. One of such commands is
'execute local command on target' (see source, command code: 0x24) and this
thing can be used to terminate the worm instantly, by injecting the command
'killall .bugtraq' in the P2P network. The worm's instances will self
destruct in this way. I am puzzled that anyone did not thought of that...
All my best,
Sandu Mihai - KPNQwest Romania Network Engineer
-----Original Message-----
From: adamkuj@gatordog.com [mailto:adamkuj@gatordog.com]
Sent: 13 September 2002 21:51
To: bugtraq@securityfocus.com
Subject: Re: bugtraq.c httpd apache ssl attack
Wouldn't it be easier to create a blank /tmp/.bugtraq.c file, chmod 000,
owned by root?
On Fri, 13 Sep 2002, The Little Prince wrote:
>
> too easy to chmod 700 gcc to lock it to root?
> obviously not as a TOTAL fix
>
> -Tony
>
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
> Anthony J. Biacco Network
Administrator/Engineer
> thelittleprince@asteroid-b612.org
http://www.asteroid-b612.org
>
> "Every day should be a good day to die" -DJM
>
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
>
> On 13 Sep 2002, Fernando Nunes wrote:
>
> >
> >
> > I am using RedHat 7.3 with Apache 1.3.23. Someone used the
> > program "bugtraq.c" to explore an modSSL buffer overflow to get access
to
> > a shell. The attack creates a file named "/tmp/.bugtraq.c" and compiles
it
> > using gcc. The program is started with another computer ip address as
> > argument. All computer files that the user "apache" can read are
exposed.
> > The program attacks the following Linux distributions:
> >
> > Red-Hat: Apache 1.3.6,1.3.9,1.3.12,1.3.19,1.3.20,1.3.22,1.3.23,1.3.26
> > SuSe: Apache 1.3.12,1.3.17,1.3.19,1.3.20,1.3.23
> > Mandrake: 1.3.14,1.3.19
> > Slakware: Apache 1.3.26
> >
> > Regards
> > Fernando Nunes
> > Portugal
> >
> >
>
> --
>
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
> Anthony J. Biacco Network
Administrator/Engineer
> thelittleprince@asteroid-b612.org
http://www.asteroid-b612.org
>
> "Every day should be a good day to die" -DJM
>
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
>
>
