Begining with 12.09.2002 we have noticed a variant of the Apache Worm http://dammit.lt/apache-worm/apache-worm.c which now exploits mod_ssl bug. The worm can be identified by doing a ps -ax | grep bugtraq (it has the name .bugtraq :) ). It is an 'agent' worm (as his parent, mr. Apache Worm), and can be controlled / instructed to do a UDP Flood, TCP Flood, DNS Flood, other goodies including command execution on infected system. The source is found in /tmp/.bugtraq.c ... and the comments are in english now :) All my best, Sandu Mihai - KPNQWest Romania Network Engineer -----Original Message----- From: Brett Glass [mailto:brett@lariat.org] Sent: 28 iunie 2002 20:27 To: flynn@energyhq.homeip.net; Domas Mituzas Cc: freebsd-security@FreeBSD.ORG; bugtraq@securityfocus.com; os_bsd@konferencijos.lt Subject: Re: Apache worm in the wild At 05:38 AM 6/28/2002, flynn@energyhq.homeip.net wrote: >I wonder how many variants of this kind of thing we'll see, but I assume most people >running Apache have upgraded already. Upgrading Apache may prevent your system from being taken over, but it doesn't necessarily prevent it from being DoSed. One of my Apache servers, which had been upgraded to 2.0.39, went berserk on June 25th, spawning the maximum number of child processes and then locking up. The server did not appear to have been infiltrated, but the logs were filled with megabytes of messages indicating that the child processes were repeatedly trying to free chunks of memory that were already free. Probably the result of an attempted exploit going awry. (It could have been aimed at Linux, or at a different version of Apache; can't tell. But clearly it got somewhere, though not all the way.) --Brett
