Re: Follow up:Apache Nosejob

[Craig <Leusent () typeoneg net>]

On August 22, 2002 01:15 pm, you wrote:
> After perfiorming some research, I noticed that the apache worm that is
> plaguing FreeBSD machines uses the following settings (please correct me
> if I'm wrong):
>
> FreeBSD 4.5 x86 / Apache/1.3.20 (Unix):
> D=-146,
> B= 0xbfbfde00,
> R= 6
> Z= 36
>
> FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
> D=-134
> B= 0xbfbfdb00
> R= 3
> Z=36
After viewing the source code for the apache worm, I did some playing around 
with the offsets, and I found that the following offsets seemed to work on 
FreeBSD 4.5 w/apache 1.3.23 quite effectively.
 -b 0xbfbfdc00
 -d -134
 -r 3 
 -z 36

Hope this helps,
        Craig Holmes