They're heeeeere.....The first packets from the Apache DOS vuln are out and
it's been "wormed" which means it's now spreading. You need to patch
Apache
to 1.3.26 or 2.0.39. If you can write a good Snort rule, below is what you
need to plug in there. I just tested this signature out on my machine
and it successfully
detects the attack. Strangely, it also flagged the beginning of the packet
as an "alibaba" attack. But beware, I modified the packet to not
include all of the
exploit code so the real one may not trip on Alibaba. For a good packet
dump of the exploit and details on how it installs at :
http://dammit.lt/apache-worm/
SNORT SIG:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-MISC Transfer-Encoding\: chunked";
flow:to_server,established;
content:"Transfer-Encoding\:"; nocase;
content:"chunked"; nocase;
classtype:web-application-attack;
reference:bugtraq,4474;
reference:cve,CAN-2002-0079; reference:bugtraq,5033;
reference:cve,CAN-2002-0392; sid:1807; rev:1;)
Brian Varine, GCIA, CISSP
Regence Blue Cross/Blue Shield
IT Security Compliance
503-553-1425
This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 16:13:08 PDT