Apache Worm in the Wild 85
codewolf writes "It has been reported to bugtraq by Domas Mituzas that a worm that exploits the Apache chunk bug has been found in the wild. Information on the worm can be found here. More information on the Apache bug can be found here, and patches can either be made by modifying your config file or upgrading your Apache version."
I love Apache (Score:1, Funny)
Re:I love Apache (Score:2, Informative)
Keeping things like this under you hat is exactly how worms get out of control. This hole was fixed 2 weeks ago, if you have not fixed your site by now this is your final warning. If you know any other Apache admins, you should be a nice guy and send them an email to make sure that their site is fixed.
When Micro$oft kept it quiet about those IIS vulnerabilities, many IIS installs went unpatched. (Ok, if you were a good admin you knew about them, but most sites do not have good admins) This by itself was not a problem, but then Nimda and Code Red hit. Tons of systems ripe for the picking!
Any system will have bugs (some more than others, but that is not the point here) and a certain percentage of those bugs will be security vulnerabilities. No matter how hard you try to debug the system, there will be some securty hole left to be discovered. The best action is to make sure that everybody who has that system running knows about the hole before it become a problem.
Re:I love Apache (Score:2)
Re:I love Apache (Score:1)
Re:I love Apache (Score:1, Insightful)
http://www.worldtechtribune.com/worldtechtribune/a sparticles/buzz/bz07022002.asp [worldtechtribune.com]
"Finley Peter Dunne, a Chicago journalist in the early 20th Century, noted that a journalist was to comfort the afflicted and afflict the comfortable. To most journalists, Microsoft, with billions of dollars in the bank and millions of customers, is viewed as comfortable. Open source software, a development dogma steeped in European socialism with few success stories to its credit, is viewed as afflicted. This kind of pragmatism is nothing new to journalists: In the eyes of most elite tech media journalists, it's more 'fair' to afflict the comfortable Microsoft than it is to beat up on the poor, afflicted Apache developers."
I hate the lack of freedom imposed on the world by Mico$loth, but the worst thing would be if Apache turned into some kind of lying, closed, corporate slug! How can we in the Open Source community say we love free speech if we are going to hide or cover up issues? We must remain open at all costs to show the closed sourcers we won't stoop to their level.
Slashdot (Score:2, Funny)
Can I be infected by posting this?
Based off of Gobbles proof of concept? (Score:2, Insightful)
This exploit brought to you by the letters ISS (Score:2, Interesting)
When is the security end-user community going to come together and fight this as a united front? Make the repurcussions for releasing exploit code so financially devastating, that companies will tremble in fear of releasing -anything- without following proper disclosure [vulnwatch.org].
Perhaps litigation and financial awards would be a good start. I know eEye should owe me some money for their wonderful disclosure prinicipals last summer.. It was a long weekend rebuilding all our ftp servers.
Re:This exploit brought to you by the letters ISS (Score:2)
Now, I must admit that MS and others are getting better, but it is still not certain that they will pay attention to various bug reports.
I also think that a broader view is required. One must also look at the original publisher/programmer, and determine their liability. Is it NTBugTraq's fault for discussing the exploit, or is it Microsoft's fault for ignoring it and/or having the bug in the first place?
I agree with what you are saying, but am not sure that it goes far enough.
Re:This exploit brought to you by the letters ISS (Score:1)
I think that BugTraq and it's ilk are valuable tools for the discussion and dissemination of information, and I admittedly would be lost without them.
I have no problems with liability being ascribed to the software-house when an exploit is disclosed, and nothing is done to fix it. Financial awards are the only thing that is going to wake the industry up from it's casual disregard.
What I do think turns the tables is when the security company releases proof-of-concept code into the mailing lists of the world. BugTraq is a lifesaver. I wouldn't be adequately informed without it. However, I don't think for a second that easily half the subscribers to the list are script kiddies looking for some nice code to drop in their lap. In this case, I think the liability points directly to the security company for failure to use common sense and good disclosure practices.
Can you imagine what would happen if everyone who was affected by a worm generated from proof-of-concept code filed a class action against the company that released the code? If each plaintiff only sued for man hours lost, the damages would be astronomical. This weapon could be wielded at Microsoft or any other company as well that failed to patch an exploit that was reported diligently using best-practices, and later used as a worm.
Usually the only way to make companies listen is to hit them where they'll notice.
Re:This exploit brought to you by the letters ISS (Score:1)
Re:This exploit brought to you by the letters ISS (Score:2)
Each vulnerability has to be announced with great fanfare, wrapped up in copyright statements, insistance of proper credit being given, and of course the oh so popular naming of the incident like "weave-apache-043 vulnerability notice."
Here's a few examples from recent bugtraq:
Now, before you can get that great reputation as a security know-it-all, you have to get your advisory out there. Notifying the vendor quietly so they can do the right thing doesn't serve your immediate needs, and that's publicity. And heaven help the vendor if you do notify them and they don't give you proper credit, else next time you'll just bypass them. Smacks of blackmail, eh?
The entire security industry just seems chaotic and unprofessional. A lot is riding on doing this right. Hiding this behind a super sekret cabal of "trusted" groups with a high cost of entry to the group isn't the answer, but I don't believe rushing to publish working proof of concept exploits is the answer either.
If the medical community operated like this, then the first person who identified a horrible disease would notify the drug companies and give them 30 days to come up with a cure, then after 30 days, go public, give out samples to anyone who asks with a disclaimer like "This is for educational purposes only, do not release it into the wild, we are not responsible" and then get the press to hype the fact that everyone is in great danger because some bad person could be releasing this at any moment.
Re:This exploit brought to you by the letters ISS (Score:1)
Well, in the US of A they're working on accepting 0 (as in zero) responsibility
for flaws in their products as a matter of law. Check these resources online
for info about the UCITA.
Computer Professionals for Social Responsibility [cpsr.org]
InfoWorld [infoworld.com]
Americans for Fair Electronic Transactions [4cite.org]
One interesting provision, as described on the CPSR page and related to your ideas which I quoted, is:
One other interesting aspect of this abomination is the right of the vendor to
change the terms of the license, at any time, before or after
the original transaction.
This battle is fought state by state, in the state legislatures. Somebody in your
state capital needs to know if you don't like what UCITA means for you.
ah, that explains it.... (Score:1)
Re:ah, that explains it.... (Score:1)
Offtopic == they dont get it
In this particular case, I think your signature is going to be right on target...
For those that don't get it, that's the public IP for
Re:ah, that explains it.... (Score:1)
Overkill for simple reverse DNS, I know, but way cooler.
BTW, can anyone identify wlhm, btw? okbr seems to be Oak Brook, IL., but then it's mysteryland.
Re:Not building right -- Anyone else? (Score:1)
Re:Not building right -- Anyone else? (Score:1)
#declare FALSE 0
rather.
Re:Not building right -- Anyone else? (Score:1)
#define TRUE 1
#define FALSE 0
Re:Not building right -- Anyone else? (Score:2)
Cheers,eh.
Things to Try (Score:3, Informative)
Of cource, the sensible, long term solition is to upgrade to 1.3.26, but as a short term fix this may work (I've not tried it btw - I just upgraded
Re:Things to Try (Score:1)
#!/bin/sh
WORM='/tmp/.a'
if [ -f "$WORM" ] ; then
echo 'APACHE WORM DETECTED'
rm "$WORM" ||
echo "ERROR: Was unable to delete $WORM"
fi
If this runs as a cron, the output will be mailed to you.
Re:Things to Try (Score:2)
If you set the sticky bit on the directory (most tmps have it set already) the file can't be removed unless the owner of the rm process and the owner of the file match. Then the cat should fail.
Also try chflgs if you're running on freebsd (other BSD's probably have equivs).
Re:Things to Try (Score:1)
Something like:
touch
chmod 000
chattr +i
would make that file immutable. Not even root can touch it until root does chattr -i.
And now you know why I run ext3
Scary: strings of the code worms (Score:2, Interesting)
For those of you that like the horror stories, are some excerpt of # strings .a (of the linux version of course).
- r00t your box
- send e-mail
- do DOS
- fake beeing mozilla or lynx
Hey apache admin abroad: wake up !Re:Scary: strings of the code worms (Score:2)
If I meet the worm writer - I'm tempted to throttle him on one hand, and shake his hand on the other. It's kinda like a house burgler who steals all your top-ramen and doesen't take your expensive jewlery. Annoying, but in the long run, there wasen't much damage and you securty system had been debugged.
Tough call.
Re:Scary: strings of the code worms (Score:2)
Aughfully clever way for Mozilla to gain market share
Re:Scary: strings of the code worms (Score:1)
And why is this not on the front page? (Score:4, Flamebait)
It would appear that the posting security advisories on this site are not to HELP admins, but instead to bash those you don't like.
Re:And why is this not on the front page? (Score:1)
Well, /. has never advertised to be the top-notch advisory source you wants to connect to... They have a lot of claims, but not that one indeed.
Generally, if you really are a security admin, you look at bugtrak, etc.etc.
OTOH, sorry for the Mozilla/Netscape mistake: you are damn right.
And no, this is not all it does: I did forget to mention it infected unpatched apache servers didn't I ? So I probably forgot a lot more ;->
Re:And why is this not on the front page? (Score:2, Informative)
Heres [slashdot.org] the /. story of the bug (was on front page, 17 june), and
heres [slashdot.org] the story of the release a day later of a update FIXING the bug.
Obvious this worm only affects ppl who have not updated their apache, and to laugh at ur 'IIS swiss cheese' which seems to take a couple of months before a fix is released (not to mention the foolish concept that you can hide any bug via secuirty through obscurity)
Re:And why is this not on the front page? (Score:2)
And to add insult to injury, there is a front page story about some OS X security items with no mention of this apache worm, just that Apache has been upgraded.
Now tell me this, are there more Apache admins reading the front page or Apple users?
Having this story here and NOT on the front page is laughable and does not frame the "open source community", one of which slashdot is a corner stone, in a positive light. It shows that they are just as willing to obscure security problems and flaws in their preferred products as those who they despise for using MS products.
Re:And why is this not on the front page? (Score:1)
I feel this is not a security advisory site and it also is not the "admin help" site. As far as I know it's news for nerds.
They did have it on the frontpage some days ago when the bug was news. The only ones who could be complainting now would be some of the lazy admins who don't care enough to fix it before the worms appear.
I suppose it is not in the frontpage because this is not exactly interesting news to most of the people.
Re:And why is this not on the front page? (Score:1)
Are you out of your fucking mind?? NOT interesting news? Please. This is like posting a report about a buffer overflow in the hta parser in IIS on the front page, but never posting a story about Code Red and variants.
This is a really lame attempt at a cover-up, plain and simple. This site it the first to bash IIS, but when the real hole hits, the one that affects the product they all tout as being the best, the one that is appearently used by most of the web servers on the Internet, well, we like to hide that one around here.
Slashdot is finally showing its true colors. This site is about as unbiased as Salon.com.
Re:And why is this not on the front page? (Score:1)
Re:And why is this not on the front page? (Score:1)
Quit bitching (Score:2, Insightful)
As a note to moderators: this is not insightful. The first time someone has an idea, that is insightful. The millionth time is redundant.
Is this x86 only? (Score:3, Interesting)
Re:Is this x86 only? (Score:4, Informative)
It appears to be based on the GOBBLE exploit which was released a few days ago, which was BSD only in the form posted on BugTraq. However, GOBBLES claim their exploit can be modified to work on OpenBSD, FreeBSD, Linux 2.4, and Solaris.
There have also been claims that Win32 Apache is vulnerable, although I haven't seen an exploit on BugTraq. If GOBBLES is correct, then it's only going to be a matter of time before this worm is polished up and set out into the wild in a form that can hit just about everyone. Hell, with some work, maybe a good hacker could clean it up, add it with the Nimda code and hit just about everything under the sun.
Re:Is this x86 only? (Score:1)
In this case, the Apache upgrade was so painless (and I even had the slight complication of mod_ssl) that there's no excuse not to upgrade.
Better Solution (Score:2, Troll)
Source code link (Score:2, Informative)
Re:Source code link (Score:2)
lines are termineted with CRLF, and indents are literal tabs, rather than a couple spaces. my guess is it was written in notepad.
/me suppresses a giggle at the expense of people who code in notepad.
Re:Source code link (Score:2, Funny)
isn't this big news? (Score:1)
Re:isn't this big news? (Score:3, Insightful)
(Time to blow some karma.)
Because it isn't IIS.
I don't use Microsoft products. I use Apache, at work and at home, on Linux and FreeBSD. But I also recognize hypocrisy when I see it. This is the Code Red of the Apache world. So far as "News for Nerds. Stuff that matters" it's more significant than 95% of what appears on the front page.
CT and the Slashdot crew should hang their heads in shame.
Re:isn't this big news? (Score:1)
Yes, it's pretty primitive. It appears to have been hacked together based on an exploit that was published just a few days ago. But there is little, other than greater vigilance on the part of Apache webmasters (as opposed to IIS's) to prevent a succession of worms that ultimately will rival in sophistication and virulence anything IIS has seen.
I thought it was pathetic how a couple hundred thousand IIS servers stayed unpatched for so long, but it will be even more pathetic if the same happens to Apache. This is a chance for us to prove how much better open source can handle these situations. And I think there is a good chance that we will do just that. But that means that the word has to be spread as far as possible, not just to people who subscribe to Apache mailing lists or who read the Apache section on a website like Slashdot. And, face it, there are plenty of people out there running Apache who are two thoughts short of a clue. You can criticize ignorant webmasters all you want, but that doesn't change the fact that, for better or worse, what they do (or don't do) will reflect on all of us.
Re:isn't this big news? (Score:1)
We'll find out soon enough.
Re:isn't this big news? (Score:3, Insightful)
Yeah, and it appears that a Windows Media EULA "revelation" regarding a change (that has been in effect for a while from what I understand) is also front page news.
So in slashdot's opinion, more "Nerds" are interested in the EULA of an app they probably don't even use than a major security issue with the web server the vast majority of them do use.
The thing is, anti-MS posts generate more comments, i.e. ad views which equals $$$, while the truth about rampant open source vulnerabilities (in all OS's and major services) only hurt this site overall since when it's proven that open source is just as bad as proprietary software in this regard, all the slashdot rank and file will stop drinking the koolaid.
Very cheap workaround (Score:1, Informative)
# cd
# touch
# chattr +i
# exit
This should hold the worm off until I get the chance to do a proper upgrade. I've got too much of a headache to recompile Apache and try to get all the modules I want working right now.
Standard disclaimer: this workaround should not be used by anyone who actually wants protection against this exploit.
someone should write a whitehat worm? (Score:1)
Possible workaround? (Score:2, Interesting)
FYI, running on cable in the ever-popular 24