Just an FYI - Apache Worm on the loose

There is an Apache worm out there, and it uses port 2001/udp to operate. You
may wanna scan your own boxes for this open port.

The payload it tries to dump is located below:

Not having seen a copy of the other worm, I wouldn't know. Regardless, would
you want a worm, even a weak and ineffective one on your boxes?


Announced last week on BUGTRAQ and elsewhere.

(and was it _really_ necessary to post a hex dump of the entire thing? The
actual source is available linked from the BUGTRAQ post above ...)

Is this the same vulnerability that
was corrected with the 1.3.26 apache release?

Hello John,

Wednesday, July 10, 2002, 11:58:09 AM, you wrote:

Is this the same vulnerability that
was corrected with the 1.3.26 apache release?

Yes it is.

If you want to be proactive, filter this port across your backbone and you will
very quickly see what hosts have been compromised.. on the other hand individual
customers seem to use all their bandwidth so they tend to phone in pretty quick!


If you want to be really proactive... Just filter out port 80, and then
you can't get hacked...


That's simply not true! The command below will make your IP based network completely secure from outside attack. You need to issue this command on all IOS based routers. Start at the edges and work your way into the core to which you must be connected via some out of band method preferably a modem connected to the console port.

core# conf t
core(config)# no ip routing

This will secure your network against this Apache worm for sure!


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey