Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rumours about Apache 1.3.22 exploits

From: KF <dotslash () snosoft com>
Date: Tue, 05 Mar 2002 12:44:26 -0500
Remember about 6 months back ... there was an "ELF binary infection" thing that "Escaped from our lab" (as said by some company forget who) The symptoms were similar... http://online.securityfocus.com/archive/75/249346 and http://www.vnunet.com/News/1125305. Maybe a valid exploit has been infected with something similar... this thing(the exploit) is definately doing something to my apache daemon. 
-KF

VeNoMouS wrote:


Ive looked into this a little bit more and it adds 8.7KB of data to any elf
file it finds on your system

it seems to contain the text string OSF

it does apare to be some type of virii back door, plz find attached a clean
and a infected version of grep 2.4.2 (GNU) from a rh 6.2 box it appends its
data to the end of the elf but have been unsuccsessful reverse engineing it
so far.

first run it stays in memory and then goes after /bin/
and infects all elfs in there then moves onto /usr/bin
then /usr/lib/gcc* then /sbin

well thats the way i saw it happening over a period of 4 days
and every elf contains the listen() code to open port 3049

still uncertain as to wat the 3049 actally does
----- Original Message -----
From: "VeNoMouS" <venom () phreaker net>
To: "Olaf Kirch" <okir () caldera de>; "H D Moore" <hdm () digitaloffense net>
Cc: <fractalg () highspeedweb net>; <vuln-dev () securityfocus com>
Sent: Friday, March 01, 2002 6:03 AM
Subject: Re: Rumours about Apache 1.3.22 exploits



Actally I was pasted on a so called exploit this afternoon which claims to
exploit via post but was only pasted on a binary,
how ever please watch out for this I beleave its a working exploit but it
also seems to open up a udp port on 3049 and some how seems to cloning the
last proc , when stracing the 3049 all it seems to do is sit there and
recv(...) and does nothing when you type anything.

binary is called 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 by lorian.

Has any one seen this about before?? Is this a trojan , if not then why


does


it open udp 3049 even after a reboot.
i trace the proc opening that port kill it and it seems to clone some how


my


last proc and then 2mins l8r opens the port again.

Any ideas?


----- Original Message -----
From: "Olaf Kirch" <okir () caldera de>
To: "H D Moore" <hdm () digitaloffense net>
Cc: <fractalg () highspeedweb net>; <vuln-dev () securityfocus com>
Sent: Wednesday, February 27, 2002 3:07 AM
Subject: Re: Rumours about Apache 1.3.22 exploits



There is a bug in the php_split_mime function in PHP 3.x and 4.x.


There


is a


working exploit floating around which provides a remote bindshell for


PHP


versions 4.0.1 to 4.0.6 with a handful of default offsets for


different


platforms.


Blechch. This code is really icky. There's really an sprintf down there
in the code that looks bad (apart from a few other things that look


bad).


But if I don't misread the patch, the sprintf is still there in 4.1.1.


Since the PHP developers commited another change to the affected
source file (rfc1687.c) about two days ago, speculation is that there


is


yet


another remote exploit.


Not in the public CVS (has been removed?)

Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we


play


okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why


Not?! -----------------------


        UNIX, n.: Spanish manufacturer of fire extinguishers.



infected_grep.tar.gz

Content-Type:

application/x-gzip
Content-Encoding:

base64


------------------------------------------------------------------------
clean_grep.tar.gz

Content-Type:

application/x-gzip
Content-Encoding:

base64
Previous By Date Next
Previous By Thread Next

Current thread: