I just got the warning this morning when I checked my logs. There is apparently an exploit out for FreeBSD now as, unless the log was faked, this is the attack sequence:

XXX.XXX.XXX.XXX - - [24/Jun/2002:06:19:21 +0900] "GET /poweredby.html HTTP/1.1" 200 17339 "http://www.google.com/search?q=powered+by+freebsd&hl=en&lr=&ie=UTF-8&oe=UTF8&start=90&sa=N" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"

XXX.XXX.XXX.XXX - - [24/Jun/2002:06:21:25 +0900] ""GET ../.." " 400 345 "-" "-"

XXX.XXX.XXX.XXX - - [24/Jun/2002:06:21:57 +0900] "GET / HTTP/1.1" 200 28178 "-" "-"

XXX.XXX.XXX.XXX - - [24/Jun/2002:06:21:58 +0900] "5" 200 11377 "-" "-"

Search for "powered by freebsd" on Google, try an illegal access ("../..") to get Apache version number ("ServerSignature Off" in httpd.conf will make finding vulnerable servers more difficult), then the final two log entries are repeated indefinately.

When I first saw the announcement and that it wasn't exploitable on FreeBSD, I wasn't too concerned and thought I'd finish testing Apache 2.0 with mod_jk on another machine before bringing it up on the production server. This attack told me that I'd better upgrade NOW!

I'd never heard of Gobbles until now. But it certainly appears to have more useful warnings than CERT, etc. Is their tool responsible for this break-in attempt? Maybe. But this attack has certainly waken me up.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/493/13214#13214