Bugtraq mailing list archives

RE: bugtraq.c httpd apache ssl attack

From: "Sandu Mihai Eduard" <mihai.sandu () kpnqwest ro>
Date: Mon, 16 Sep 2002 19:13:02 +0300

The worm is an AGENT, because it accepts commands throughout the global P2P
network created ad-hoc between its instances. One of such commands is
'execute local command on target' (see source, command code: 0x24) and this
thing can be used to terminate the worm instantly, by injecting the command
'killall .bugtraq' in the P2P network. The worm's instances will self
destruct in this way. I am puzzled that anyone did not thought of that...

All my best,
            Sandu Mihai - KPNQwest Romania Network Engineer



-----Original Message-----
From: adamkuj () gatordog com [mailto:adamkuj () gatordog com]
Sent: 13 September 2002 21:51
To: bugtraq () securityfocus com
Subject: Re: bugtraq.c httpd apache ssl attack


Wouldn't it be easier to create a blank /tmp/.bugtraq.c file, chmod 000,
owned by root?

On Fri, 13 Sep 2002, The Little Prince wrote:


too easy to chmod 700 gcc to lock it to root?
obviously not as a TOTAL fix

-Tony

.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.

Anthony J. Biacco                            Network

Administrator/Engineer

thelittleprince () asteroid-b612 org

http://www.asteroid-b612.org


             "Every day should be a good day to die"   -DJM

.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.


On 13 Sep 2002, Fernando Nunes wrote:



I am using RedHat 7.3 with Apache 1.3.23. Someone used the
program "bugtraq.c" to explore an modSSL buffer overflow to get access

to

a shell. The attack creates a file named "/tmp/.bugtraq.c" and compiles

it

using gcc. The program is started with another computer ip address as
argument. All computer files that the user "apache" can read are

exposed.

The program attacks the following Linux distributions:

Red-Hat: Apache 1.3.6,1.3.9,1.3.12,1.3.19,1.3.20,1.3.22,1.3.23,1.3.26
SuSe: Apache 1.3.12,1.3.17,1.3.19,1.3.20,1.3.23
Mandrake: 1.3.14,1.3.19
Slakware: Apache 1.3.26

Regards
Fernando Nunes
Portugal

--

.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.

Anthony J. Biacco                            Network

Administrator/Engineer

thelittleprince () asteroid-b612 org

http://www.asteroid-b612.org


             "Every day should be a good day to die"   -DJM

.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.

Current thread:

Re: bugtraq.c httpd apache ssl attack Fernando Nunes (Sep 16)
- <Possible follow-ups>
- RE: bugtraq.c httpd apache ssl attack Sandu Mihai Eduard (Sep 17)
- Re: bugtraq.c httpd apache ssl attack Ben Laurie (Sep 17)
- Re: bugtraq.c httpd apache ssl attack Ben Kittridge (Sep 18)