DO NOT REPLY [Bug 10509] New: - exploit

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10509>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10509

exploit

           Summary: exploit
           Product: Apache httpd-1.3
           Version: 1.3.23
          Platform: PC
        OS/Version: FreeBSD
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: slav@zeos.net


Virus report. The binary file was somehow uploaded to 2 our servers to /tmp/a
file through apache. HTTPD-servers contains onli html-page without any SSL or CGI.
At the time in log files appears:
1-st error.log:
[Fri Jul  5 12:25:19 2002] [error] [client 211.167.73.188] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23): /                        
                    
[Fri Jul  5 12:25:36 2002] [error] [client 211.167.73.188] client denied by
server configuration: /usr/local/httpd/share/htdocs
2-nd error.log:
[Fri Jul  5 12:25:21 2002] [error] [client 211.167.73.188] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23): /
2-nd access.log:
211.167.73.188 - - [05/Jul/2002:12:25:21 +0300] "GET / HTTP/1.1" 400 376
At that access to the 1-st server was denied from any IP exept ours.
Then the binary (/tmp/a) was executed with effective uid nobody(our apache user)
and start to uploading itself to other servers and to udp flooding.
We can also send you the code of the virus.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org