Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Chunked encoding worm on tcp/80

From: Bill McCarty <bmccarty () pt-net net>
Date: Tue, 25 Nov 2003 20:39:16 -0800
Hi all,
--On Tuesday, November 25, 2003 4:11 PM -0800 Bill McCarty <bmccarty () pt-net net> wrote: 


Does anyone recognize this worm code fragment obtained from Objdump?
This worm appears to be a golden oldie, Apache Slapper, as indicated by a match of its shellcode with that in the exploit given at <http://www.dammit.lt/apache-worm/apache-worm.c>, which is elsewhere identified as Slapper. Some sources mistakenly identify this exploit as Scalper. However, this exploit uses an HTTP POST rather than an HTTP GET and therefore can be readily distinguished from Scalper. 

Cheers,

---------------------------------------------------
Bill McCarty

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: