Re: Follow up:Apache Nosejob

From: Craig (Leusentat_private)
Date: Thu Aug 22 2002 - 14:59:09 PDT

Next message: h1kari: "ToorCon Computer Security Conference 2002 Announcement"

Previous message: Jeremy Junginger: "Follow up:Apache Nosejob"
In reply to: Jeremy Junginger: "Follow up:Apache Nosejob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On August 22, 2002 01:15 pm, you wrote:
> After perfiorming some research, I noticed that the apache worm that is
> plaguing FreeBSD machines uses the following settings (please correct me
> if I'm wrong):
>
> FreeBSD 4.5 x86 / Apache/1.3.20 (Unix):
> D=-146,
> B= 0xbfbfde00,
> R= 6
> Z= 36
>
> FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
> D=-134
> B= 0xbfbfdb00
> R= 3
> Z=36
After viewing the source code for the apache worm, I did some playing around 
with the offsets, and I found that the following offsets seemed to work on 
FreeBSD 4.5 w/apache 1.3.23 quite effectively.
 -b 0xbfbfdc00
 -d -134
 -r 3 
 -z 36

Hope this helps,
	Craig Holmes

Next message: h1kari: "ToorCon Computer Security Conference 2002 Announcement"
Previous message: Jeremy Junginger: "Follow up:Apache Nosejob"
In reply to: Jeremy Junginger: "Follow up:Apache Nosejob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 15:08:28 PDT