[Dshield] FW: Apache worm in the wild

Tim Rushing dshield at threenorth.com
Fri Jun 28 21:25:13 GMT 2002


I haven't, but according to the referenced site, the attack first does a 
simple "GET / HTTP/1.1" followed by a POST if the web server seems vulnerable.

I have a hosted server with 4 ip addresses that is running a patched Red 
Hat server that will report itself as 1.3.22.  I saw the following on 26 June:

68.36.145.182 - - [26/Jun/2002:21:02:51 -0500] "HEAD / HTTP/1.1" 200 0
68.36.145.182 - - [26/Jun/2002:21:02:51 -0500] "HEAD / HTTP/1.1" 200 0
68.36.145.182 - - [26/Jun/2002:21:02:51 -0500] "HEAD / HTTP/1.1" 200 0
68.36.145.182 - - [26/Jun/2002:21:02:51 -0500] "HEAD / HTTP/1.1" 200 0
68.36.145.182 - - [26/Jun/2002:21:02:51 -0500] "POST /x.html HTTP/1.1" 400 338
68.36.145.182 - - [26/Jun/2002:21:02:51 -0500] "POST /x.html HTTP/1.1" 400 336
68.36.145.182 - - [26/Jun/2002:21:02:56 -0500] "POST /x.html HTTP/1.1" 400 341
68.36.145.182 - - [26/Jun/2002:21:02:56 -0500] "POST /x.html HTTP/1.1" 400 341

Note, this used a HEAD not a GET to determine vulnerability, but it was 
followed by a POST.  I have no idea if this was an exploit attempt or not.

          ---Tim Rushing

At 01:44 PM 6/28/02 -0400, you wrote:
>Greetings,
>
>Has anyone seen more information on this?
>
>Thanks,
>
>Sunil
>
>-----Original Message-----
>From: Domas Mituzas [mailto:domas.mituzas at microlink.lt]
>Sent: Friday, June 28, 2002 7:02 AM
>To: freebsd-security at freebsd.org
>Cc: bugtraq at securityfocus.com; os_bsd at konferencijos.lt
>Subject: Apache worm in the wild
>
>
>Hi,
>
>our honeypot systems trapped new apache worm(+trojan) in the wild. It
>traverses through the net, and installs itself on all vulnerable apaches
>it finds. No source code available yet, but I put the binaries into public
>place, and more investigation is to be done.
>
>http://dammit.lt/apache-worm/
>
>Regards,
>Domas Mituzas
>
>Central systems @ MicroLink Data
>
>_________________________________________________________________
>Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list