I guess this may be a bit late - or even a bit alarmist, but ... Someone hacked into one of my computers this morning at 8:36am Fri the 13th (GMT +1000) This may be a common thing - being Fri the 13th and all ...
I'm not sure if it was a person or a Worm itself, but they expoited the fact that I have not updated apache on my Seawolf (7.1) machine The reason for posting this widely is because I don't know how far this has spread to or from me. I had 3 warning signs but didn't realise until the 3rd what was going on. The first was a VERY large tcpdump log - it was slow to process a search I tried and I didn't realise it was the size of the file - doh! I tcpdump ALL inbound and outbound packets The second was http slow downs and failures that made "RUN" upstairs to the servers and look further. Finally, hub lights were flashing madly when I ran upstairs to check the server so I logged in and did a full ps of the system and noticed all these ".bugtraq" processes, so I pulled it's network cable out of the hub and then investigated what was going on. It put a uuencoded c program in the /tmp directory, uudecoded it, compiled it then ran it. The program file is called ".bugtraq.c" The executable is ".bugtraq" The uuencoded filename is ".uubugtraq" Of course the files are all owned by "apache" The IP address of the source of the program is 164.77.246.195 The network my computer was attacking when I stopped it is 189.167.x.x The apache log was (IP=164.77.246.195): IP - - [13/Sep/2002 08:36:06 +1000] "GET / HTTP/1.1" 400 377 "-" "-" IP - - [13/Sep/2002 08:36:10 +1000] "GET / HTTP/1.1" 400 377 "-" "-" IP - - [13/Sep/2002 08:40:59 +1000] "-" 408 "-" "-" This suggests to me that it was manually set to run. The tpcdump log show that it reports back to 164.77.246.195 something like 40 or 50 times a minute It all apears to be UDP packets. I may supply the code to anyone interested, but basically comments in the code says it is a DoS program that can handle up to a network of 16 million computers DoS'ing other computers on the net. If you haven't updated your apache to 1.3.22-* then I suggest you do it NOW. I haven't bothered to check which version of apache is necessary, but my Seawolf machine had a 1.3.19-?? version on it that has this security problem. There have been at least two Seawolf updates 1.3.22-1.7.1 and 1.3.22-5.7.1 (I've gone to -5.7.1) My 4 other servers are all updated 7.1, 7.2 or 7.3 - I unfortunately missed this one. I even have the damn updates on my file server - (my own automated script that runs every weekend to get any new updates off the mirrors) just never typed rpm ... - oh well :-) -- -Cheers -Andrew MS ... if only he hadn't been hang gliding! _______________________________________________ Seawolf-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/seawolf-list
