Related Resources • Virus Encyclopedia • Glossary of terms

From Other Guides • Managing Apache • Apache on Windows • Securing Apache

Elsewhere on the Web • F-Secure Description • Vulnerability Description • CERT Advisory

Taking advantage of a security vulnerability disclosed on June 20, 2002 and affecting Apache Web Server versions 1.2.2 and above, 1.3 through 1.3.24, and 2.0 through 2.0.36, the newly discovered Scalper worm is the first known Apache infector. The vulnerability, known as the chunked encoding vulnerability, is remotely exploitable and can allow an attacker to run arbitrary code on affected servers. The Apache Software Foundation recommends users of Apache 1.3 upgrade to 1.3.26, and users of Apache 2.0 upgrade to 2.0.39, both of which contain a fix for the chunked encoding vulnerability.

According to analysis by Katrin Tocheva and Sami Rautiainen of F-Secure, Scalper propagates from one FreeBSD system to another by exploiting the aforementioned chunked encoding vulnerability. Upon gaining access to the server, the Scalper worm creates a temporary file named "/tmp/.uua", which is an uuencoded worm. The file is then decoded to "/tmp/.a" and executed. The uuencoded file is then removed. Scalper also sets up a backdoor to UDP port 2001 and begins scanning a predefined set of Class-A addresses searching for other vulnerable Apache servers. The backdoor component allows a malicious user to remotely control the worm, send email from the affected server, of upload files and execute arbitrary programs under the same user privilge as the server.

Removing the worm
The worm's process, ".a" is visible in the system process list. To remove the worm, delete the file "/tmp/.a" and terminate the worm process using the command "killall -9 .a".

The Scalper worm is known by many aliases, including Unix/Scalper, Ehchapa, PHP/Exploit-Apache, UNIX/Exploit-Apache, Exploit.Linux.Apache.134, and Hacktool.Echapa.