[Snort-sigs] SID 1809 documentation
kevin.peuhkurinen at ...1555...
Mon Jun 9 08:49:01 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Apache Chunked-Encoding worm attempt"; flow:to_server,established;
content:"CCCCCCC\: AAAAAAAAAAAAAAAAAAA"; nocase;
reference:cve,CAN-2002-0392; sid:1809; rev:2;)
The "Scalper" worm is attempting to infect your web server.
An infected server will open ports and listen for commands as well as
attempt to infect more systems.
This worm takes advantage of the chunked encoding vulnerability in
Apache to infect new systems. Once infected, the worm opens UDP port
2001 and will listen for additional commands. It will also begin
scanning for new hosts to infect.
Version of Apache 1.3 up to and including 1.3.24 and versions of Apache
2.0 up to 2.0.36. All versions of Apache 1.2 are vulnerable. This worm
will only infect systems running FreeBSD.
Typical self-replicating worm.
Ease of Attack:
Easy – fully automated.
Upgrade your installation of Apache if you are running a vulnerable version.
More information about the Snort-sigs