press release launching a service to mitigate the effects of DDoS attacks, while early this morning[BST] Rackshack appeared to suffer a similar attack.
Posted by Colin Phipps in Security
The Apache Project have announced that versions of Apache/2.0 up to and including Apache/2.0.44 are vulnerable to a denial of service attack. To fix the problem, the project has released Apache/2.0.45 which is available for download.
People running Apache servers should note that the vulnerability only applies to Apache/2.0 and not Apache/1.3. In this respect the bug is not a big threat to the stability of the web - it is a denial of service rather than a remote compromise and the number of sites running Apache/2.0 is relatively small. Almost 99% of Apache sites are on Apache/1.3 or earlier.
Further to our article on the widespread availability of WebDAV on Microsoft-IIS/5.0 sites, Roman Medina and Rafael Nunez have each published the sources to programs written to exploit the vulnerability.
Additionally, David Litchfield has produced a paper emphasizing that the problem is a core DLL in Windows 2000 that is possible to exploit without recourse to the published Microsoft-IIS WebDAV vulnerability.
Expert opinion is that no unpatched Windows 2000 machines are safe.
Netcraft's network exploration services may be useful for people managing large networks of Windows 2000 servers. In particular, we can report machines not yet rebooted since the availability of Microsoft's patch and determine availability of WebDAV functionality on those machines.
Please mail us if interested.
Your link here? Advertising on the Netcraft Blog