[LINK] Apache/SSL worm & Telstra Internet's fab service

Robin Whittle rw@firstpr.com.au
Mon, 16 Sep 2002 04:12:28 +1000 

My up-to-date (or so I thought) RedHat 7.2 machine was hacked at 9PM
Sunday night by a new Apache-SSL worm which affects Linux machines
running Apache with SSL.  I was running RedHat's 1.3.22 version patched
with the fixes which make 1.3.26 safe against the chunk problem:

   http://www.cert.org/advisories/CA-2002-17.html

but I now realise that I had not kept up to date to fix the SSL problem:

   http://www.cert.org/advisories/CA-2002-23.html  (June 30)

The new Apache/SSL worm has just got its own advisory - in recent hours
I think:

 
   http://www.cert.org/advisories/CA-2002-27.html  

 
This has been discussed in the last day or so on the BUGTRAQ mailing
list:

   http://www.securityfocus.com


It uses SSL and Apache to put a file:

  /tmp/.uubugtraq

and then turns this into source and an executable.  Then it tries to
spread itself and forms part of a large network of hacked machines
communicating with each other by UDP packets to and from port 2002.  It
can run arbitrary commands as specified by the remote hacker, but it is
user "apache" on my RedHat machine, so it probably can't do too much
harm, other than for instance crash the machine by writing enough files
to fill the partitions - unless there is a way of escalating its
privileges to root.

I unplugged my modem, figured out with a friend what was going on,
deleted the worm and turned off SSL and rebooted with the modem
connected.  Now at least my machine isn't propagating stuff, but it is
still receiving a blizard of packets.

My 56k modem light is running hard on.  I pay 20 cents a Meg for this
stuff with the excellent Telstra Internet direct modem, so I figure this
is costing me $10 an hour!  It could go on for days, weeks or months . .
. 

A protective measure would be to create a file as root:

    /tmp/.uubugtraq

and make sure no other user can write to it.  But the best approach is
to make sure the SSL module is up to date.

The worm comes as nicely written source code.  Below is the list of
systems it targets.   

This worm could lead to a vast amount of traffic on UDP port 2002.  I am
getting 57 packets a second on my link, and each is currently generating
an icmp UPD port 2002 unreachable packet going out.  I called Telstra
Internet at 3AM and asked them if they could filter out UDP packets to
port 2002.  The chap there gave me a job ticket number and said someone
would call me.

My incoming line is flooded and the outgoing link is close to flooded. 
Ping to an external server has 85% packet loss and times of 1.4 seconds
or so instead of the usual 0.5 or so.

So this flood of packets puts me pretty much off the air, and is costing
me at least $2 an hour:  $0.20 a megabyte, with the 56k modern running
at say 48kbps . . . this is 6 k bytes a second, not counting
compression, so this is  . . . . . . .

!!!!

The RXD LED just went back to its normal activity!

Seconds later the phone rings.

It is a woman from Telstra Internet and bless her soul, she's just
configured the router I dial in to to filter out UDP port 2002!   I sing
her praises and likewise my appreciation for the Telstra Internet Direct
Modem service which has put me reliably on the Net since July 1997.  It
cost $500 to set up.  I need a phone line and to make calls to one of
many POP which are all over Australia.  Mine is in the Lonsdale St
exchange in Melbourne.  Then I pay a minimum fee of $20 (ex GST) a
month, which recently is what I have been paying, since the incoming
traffic has been less than 100 Megabytes per month at $0.20 a Megabyte.
I use my Optus cable modem for web surfing and FTP, though their
"transparent proxying" makes a mess of FTP and the encrypted FTP
equivialent: SCP . . .   I use my Telstra connection to run a
mailserver, a low volume web server and a nameserver for several
domains.   Also, its a *real* Internet connection, rather than the
non-fixed IP address service from Optus, in which everything goes
through supposedly transparent proxies, and in which it is not allowed
to run any servers or engage in commercial activity.   

  >>> Salute!   http://www.telstra.com.au/internetdirect/ <<<<

The service is fabulously reliable - and since I got a US Robotics
modem, the calls have only dropped out once every few weeks.  (The
record is 3 months and nearly one day for one call!)

For this I get 32 fixed IP addresses (a number which seems
embarrassingly large for lil-old me in 2002 . . . ) and a clear
connection to the Net, with excellent reliability.  I don't recall many
failures - but a few nights ago would be typical, occasional, worst-case
scenario of the call dropping out and my machine dialing in to finding
the router not answering calls for ten or twenty minutes.  Maybe that
happens once or twice a year.

On top of this, I can call them at 3AM ("only" 1AM in Western Australia
where the most helpful woman was on deck) and they will noodle around in
the router in Londsdale St to protect my connection from a ruinous flood
of packets!

What was it going to cost me if this wasn't fixed?  Lets say 6 kbytes a
second without compression = 21.6 Megs an hour.  That's at least $4 an
hour and probably more like $6 an hour considering the modem would be
compressing them.   That would quickly get out of control after a day or
two.


   - Robin


Here's the start of the worm's source (.bugtraq.c), and the list of OS
and Apache versions for which it knows how to crash the process and
doctor its message to gain control of the process, so that it can load
itself into the target machine as /tmp/.uubugtraq and install itself.

- - - 

Peer-to-peer UDP Distributed Denial of Service (PUD)
by contem@efnet                           

Virtually connects computers via the udp protocol on the         
specified port.  Uses a newly created peer-to-peer protocol that       
incorperates uses on unstable or dead computers.  The program is       
ran with the parameters of another ip on the virtual network.  If      
running on the first computer, run with the ip 127.0.0.1 or some       
other type of local address.  Ex:                                    

  Computer A:   ./program 127.0.0.1                              
  Computer B:   ./program Computer_A                             
  Computer C:   ./program Computer_A                             
  Computer D:   ./program Computer_C                             

Any form of that will work.  The linking process works by        
giving each computer the list of avaliable computers, then              
using a technique called broadcast segmentation combined with TCP 
like functionality to insure that another computer on the network
receives the broadcast packet, segments it again and recreates   
the packet to send to other hosts.  That technique can be used to
support over 16 million simutaniously connected computers.


struct archs {
        char *os;
        char *apache;
        int func_addr;
} architectures[] = {
        {"Gentoo", "", 0x08086c34},
        {"Debian", "1.3.26", 0x080863cc},
        {"Red-Hat", "1.3.6", 0x080707ec},
        {"Red-Hat", "1.3.9", 0x0808ccc4},
        {"Red-Hat", "1.3.12", 0x0808f614},
        {"Red-Hat", "1.3.12", 0x0809251c},
        {"Red-Hat", "1.3.19", 0x0809af8c},
        {"Red-Hat", "1.3.20", 0x080994d4},
        {"Red-Hat", "1.3.26", 0x08161c14},
        {"Red-Hat", "1.3.23", 0x0808528c},
        {"Red-Hat", "1.3.22", 0x0808400c},
        {"SuSE", "1.3.12", 0x0809f54c},
        {"SuSE", "1.3.17", 0x08099984},
        {"SuSE", "1.3.19", 0x08099ec8},
        {"SuSE", "1.3.20", 0x08099da8},
        {"SuSE", "1.3.23", 0x08086168},
        {"SuSE", "1.3.23", 0x080861c8},
        {"Mandrake", "1.3.14", 0x0809d6c4},
        {"Mandrake", "1.3.19", 0x0809ea98},
        {"Mandrake", "1.3.20", 0x0809e97c},
        {"Mandrake", "1.3.23", 0x08086580},
        {"Slackware", "1.3.26", 0x083d37fc},
        {"Slackware", "1.3.26",0x080b2100}
};
----------
For Link list information see http://sunsite.anu.edu.au/link/