Re: Rumours about Apache 1.3.22 exploits

[nilton.gs.sc () zipmail com br]

I had the same problem with a test box that I have on my network.

I think the exploit called 73501867 is a trojan. It seems to infect ELF
binaries.

When turn on the system (slackware 8.0 with kernel 2.4.5) I executed 'netstat
-an' and nothing was showed up. But, about 3 minutes later when I executed
'netstat -an' it shows up:
Proto Recv-Q Send-Q Local Address           Foreign Address         State

udp        0      0 0.0.0.0:3049            0.0.0.0:*

Do checksum in your files.

Regards,
Nilton Gomes

-- Mensagem original --

> Actally I was pasted on a so called exploit this afternoon which claims
to
> exploit via post but was only pasted on a binary,
> how ever please watch out for this I beleave its a working exploit but
it
> also seems to open up a udp port on 3049 and some how seems to cloning
the
> last proc , when stracing the 3049 all it seems to do is sit there and
> recv(...) and does nothing when you type anything.
>
> binary is called 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 by lorian.
>
> Has any one seen this about before?? Is this a trojan , if not then why
does
> it open udp 3049 even after a reboot.
> i trace the proc opening that port kill it and it seems to clone some how
> my
> last proc and then 2mins l8r opens the port again.
>
> Any ideas?
>
>
> ----- Original Message -----
> From: "Olaf Kirch" <okir () caldera de>
> To: "H D Moore" <hdm () digitaloffense net>
> Cc: <fractalg () highspeedweb net>; <vuln-dev () securityfocus com>
> Sent: Wednesday, February 27, 2002 3:07 AM
> Subject: Re: Rumours about Apache 1.3.22 exploits
>
>
> > > There is a bug in the php_split_mime function in PHP 3.x and 4.x. There
> is a
> > > working exploit floating around which provides a remote bindshell for
> PHP
> > > versions 4.0.1 to 4.0.6 with a handful of default offsets for different
> > > platforms.
> >
> > Blechch. This code is really icky. There's really an sprintf down there
> > in the code that looks bad (apart from a few other things that look bad).
> > But if I don't misread the patch, the sprintf is still there in 4.1.1.
> >
> > > Since the PHP developers commited another change to the affected
> > > source file (rfc1687.c) about two days ago, speculation is that there
> is
> yet
> > > another remote exploit.
> >
> > Not in the public CVS (has been removed?)
> >
> > Olaf
> > --
> > Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we
play
> > okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
> > okir () caldera de    +-------------------- Why Not?! -----------------------
> >          UNIX, n.: Spanish manufacturer of fire extinguishers.



------------------------------------------
Use o melhor sistema de busca da Internet
Radar UOL - http://www.radaruol.com.br