> in either your Apache or system logfiles. If you see these, that's an
> indication that some `1337 ha><0r d00d is trying to r00t your box
> through the vulnerability but all he's managing to do is DOS you.
>
> In any case, you should absolutely upgrade to the latest version of
> Apache that fixes the bug. You should also seriously consider auditing
> your box to make sure that nobody did manage to get in with any sort of
> Script Kiddie attack.
>
That would be my guess too. One thing to note is that many people's default
configuration won't log anything for this. There is already an exploit
circulating that gives root on BSD operating systems, and the authors claims
to have one for Linux that they will release soon. I just glanced at the
BSD one and it looks like it uses the Apache vulnerability to get a shell
and then a memcpy vulnerability to actually obtain root. I don't think the
memcpy problem exists on Linux, but I would still be very worried if I
hadn't already upgraded. It also still has the ability to kill the thread,
so I wouldn't be surprised if it killed his Apache. One thing to note too
is that if you upgrade with apt-get, make sure you restart Apache manually,
because it isn't done for you. There is a scanner here to check if you are
vulnerable; however, it has to be run on Windows (or maybe it will work with
Wine). http://www.eeye.com
John
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 13:01:37 EDT