They're heeeeere.....The first packets from the Apache DOS vuln are out and it's been "wormed" which means it's now spreading. You need to patch Apache to 1.3.26 or 2.0.39. If you can write a good Snort rule, below is what you need to plug in there. I just tested this signature out on my machine and it successfully detects the attack. Strangely, it also flagged the beginning of the packet as an "alibaba" attack. But beware, I modified the packet to not include all of the exploit code so the real one may not trip on Alibaba. For a good packet dump of the exploit and details on how it installs at : http://dammit.lt/apache-worm/ SNORT SIG: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Transfer-Encoding\: chunked"; flow:to_server,established; content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase; classtype:web-application-attack; reference:bugtraq,4474; reference:cve,CAN-2002-0079; reference:bugtraq,5033; reference:cve,CAN-2002-0392; sid:1807; rev:1;) Brian Varine, GCIA, CISSP Regence Blue Cross/Blue Shield IT Security Compliance 503-553-1425
This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 16:13:08 PDT