Date: 01 July 2002
References: ESB-2002.323 ESB-2002.328 ESB-2002.330 ESB-2002.334 ESB-2002.337 ESB-2002.351 ESB-2002.358 ESB-2002.421 ESB-2002.498
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2002.06 -- AUSCERT ALERT
Apache Worm
1 July 2002
===========================================================================
PROBLEM:
There is a worm in the wild exploiting apache web servers
vulnerable to the chunked encoding problem reported in AusCERT
Advisory AA-2002.04. The worm, dubbed "Scalper", targets FreeBSD
Unix servers primarily, but may affect other Unix and Linux
platforms.
No attacks by this worm against Australian web servers have been
reported to AusCERT at this time, however as the source code for
the worm is publicly available and exploits are occurring overseas
it is likely to be only a matter of time before sites are affected
locally.
AusCERT recommends that members follow the steps under "MITIGATION"
below as soon as possible.
PLATFORM:
Primarily FreeBSD hosts running vulnerable apache installations,
however other Unix and Linux servers may be affected. Affected
apache versions:
Apache 2.0 all versions up to 2.0.36
Apache 1.3 all versions including 1.3.24
Apache 1.2 all versions
This particular exploit is limited to IA32 (Intel 32 bit
architecture).
IMPACT:
o Sends the IP address of the web server to certain email addresses.
o Can perform DDoS.
o Can perform TCP, UDP, DNS, and e-mail flooding.
o Can allow malicious code to run on the web server.
o Allows unauthorized access to the infected machine.
DETAILS:
Scalper affects systems running FreeBSD running the vulnerable
version of Apache web server.
If the worm gains access to the server, it creates a temporary
file "/tmp/.uua", which is an uuencoded worm. This file is decoded
to "/tmp/.a" and executed.
The uuencoded file is removed. At this point the worm sets up a
backdoor to UDP port 2001 and starts scanning predefined set of
Class-A networks. If the worm finds a web server, it checks if
the server is running Apache, and if so, it will attempt to infect
it. While the exploit code that Scalper uses will only infect
systems running FreeBSD, these attempts will be visible in Apache
servers running on other platforms as well.
The backdoor component of the worm allows a remote control of the
worm, sending of email, uploading of files and executing of
arbitrary programs. The execution of programs happens with the
same user privilege as the Apache server. The backdoor can also
perform different kind of denial of service attacks against
arbitrary hosts.
The worm does not modify the system configuration, and it is
visible in the system process list as a process ".a". Scalper
can be removed from the system by deleting file "/tmp/.a" and
terminating the worm process with command "killall -9 .a". The
vulnerability used by the worm is fixed in Apache server versions
1.3.26 and 2.0.39.
The worm has some DDoS tools included. UDP port 2001 is used for
encrypted communication - for both TCP/UDP flooding as well as
e-mail flooding.
This exploit is limited to IA32 (Intel 32 bit architecture).
MITIGATION:
o Upgrade to a non-vulnerable version of the apache web server.
o For sites implementing anti-virus protection, signatures are
available from some vendors.
AusCERT recommends that the apache web server be upgraded as a
primary defence, regardless of the availability of anti-virus
protection. Sites should check with their anti-virus vendor for
updated signatures/patches.
REFERENCES:
Information about the "Scalper" worm
http://vil.nai.com/vil/content/v_99539.htm
http://www3.ca.com/virus/virus.asp?ID=12441
http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html
Information about the apache chunked encoding vulnerability
http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.04.txt
http://www.auscert.org.au/Information/Advisories/ESB/ESB-2002.285.txt
http://www.apache.org/dist/httpd/Announcement.html
http://httpd.apache.org/info/security_bulletin_20020620.txt
http://securityresponse.symantec.com/avcenter/security/Content/2049.html
eEye Tool to check for vulnerable systems (not officially endorsed
by AusCERT)
http://www.eeye.com/html/Research/Tools/apachechunked.html
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call
after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPUejBCh9+71yA2DNAQE9qwP+JT+2tenFwJ+E4spJF/ELGgxy4XelLXBa
k66VrNU+5b9igsGaWYDN4KRzpxzvTRbFRWdjhaKumTG5lZlw5dw8KiXEeilWizZR
lMgc6ZYeTcV8l0cCybULHn3s/e0X+OrdELcHgaCk/D6RoiaXA8wlteJalWwFxFBL
7LUFrSe//dI=
=XFo3
-----END PGP SIGNATURE-----
|