GEN:SID 1:1809
Message WEB-MISC Apache Chunked-Encoding worm attempt
Summary This event is generated when an attempt is made to infect a web server by the "Scalper" worm.
Impact An infected server will open ports and listen for commands as well as
attempt to infect more systems.
Detailed Information This worm takes advantage of the chunked encoding vulnerability in
Apache to infect new systems. Once infected, the worm opens UDP port
2001 and will listen for additional commands. It will also begin
scanning for new hosts to infect.
Affected Systems Version of Apache 1.3 up to and including 1.3.24 and versions of Apache
2.0 up to 2.0.36. All versions of Apache 1.2 are vulnerable. This worm
will only infect systems running FreeBSD.
Attack Scenarios Typical self-replicating worm.
Ease of Attack Simple. This is worm activity and is fully automated.
Corrective Action Upgrade your installation of Apache if you are running a vulnerable
version.
Additional References Symantec
http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html
Rule References bugtraq: 4474
bugtraq: 4485
bugtraq: 5033
cve: 2002-0071
cve: 2002-0079
cve: 2002-0392