[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Apache (Linux?) Worm

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Apache (Linux?) Worm
From: Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com>
Date: Fri, 13 Sep 2002 21:01:33 -0700

It seems  there's a  new worm  out there  working its  way through
systems with Apache and vulnerable OpenSSL installations:

    http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.wor
m.html

First, I'll assume that OpenBSD systems  with patch 13 for 3.1 (or
equivalent) don't have the buffer overflow needed for this. Having
said that,  It's not entirely clear  to me that it's  a pure Linux
critter,  and that's  what I'm  curious about. Are  those (idiots)
with unpatched OpenBSD installations vulnerable?

Specifically, the advisories I've seen say that the worm relies on
the presence  of /bin/sh and gcc  and the ability to  execute i386
shellcode.  One would need to see the  sh code to know if it's too
dependent on bash  to work with OpenBSD's ksh,  but will shellcode
targeted  for Linux  i386 run  on  OpenBSD 386? If  not, does  the
presence of Linux emulation change things?

In any event,  Theo's decision to run Apache in  a chroot starting
with 3.2 is proving its wisdom even before the release date.

Cheers,

b&

--
Ben Goren
 mailto:ben_(_at_)_trumpetpower_(_dot_)_com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

[demime 0.98d removed an attachment of type application/pgp-signature]

Follow-Ups:
- Re: Apache (Linux?) Worm
  - From: Richard Welty

Prev by Date: Re: fdisk: sysctl(machdep.bios.diskinfo): Device not configured
Next by Date: cdio does not produce output
Previous by thread: PF Burst & Windows Client
Next by thread: Re: Apache (Linux?) Worm
Index(es):
- Date
- Thread

Visit your host, monkey.org