Re: New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)

From: Tom Sands (tsandsat_private)
Date: Mon Sep 23 2002 - 08:22:32 PDT

  • Next message: Bellenger, Bruno (Paris): "RE: new IIS worm? (rcp lsass.exe)" 

    Quick Cleanup of new variant:

Quick details... The new worm is using httpd as it's process name... The
way to tell this apart would be with ps auwx.

Look at the difference...

[server@server1 tmp]$ ps auwx | grep httpd
root       893  0.0  2.9 49144 7428 ?        S    Sep20   0:02
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache    5229 35.8 23.9 777676 60984 ?      S    Sep21 876:30 httpd
                
apache   19017  0.0  2.9 49312 7636 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19018  0.0  3.0 49308 7872 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19019  0.0  2.9 49244 7624 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19020  0.0  2.9 49280 7616 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19021  0.0  3.0 49272 7724 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19022  0.0  2.9 49248 7548 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19023  0.0  3.0 49252 7752 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19024  0.0  2.9 49216 7472 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19325  0.0  3.4 728204 8736 ?       S    04:24   0:00 httpd
                

Can you guess which ones don't belong there?

If you guessed PID 5229 and 19325 you are correct.

Please be on the lookout for a process named "update" running as the
apache user.  This is a backdoor program.

[server@server1 tmp]$ ps auwx | grep update | grep apache
apache    5231  0.0  0.1  1352  280 ?        S    Sep21   0:00 update
   
apache    5441  0.0  0.1  1348  276 ?        S    Sep21   0:00 update
   
apache    5595  0.0  0.1  1348  280 ?        S    Sep21   0:00 update
 

Quick clean up instructions (as root):

1. Locate and kill the worm process.

netstat -anp | grep 4156 | grep -i UDP
pstree -p  PID#
kill -9

2. Locate and kill the backdoor process.

ps -aux | grep update | grep apache
pstree -p  PID#
kill -9
 
3. Disable .unlock

Cd /tmp
Chown root.root .unlock
Chmod 000 .unlock



-- 
Tom Sands
Chief Network Engineer
Rackspace Managed Hosting
(210)892-4000




H. Morrow Long wrote:

> Several (see http://diswww.mit.edu/charon/nanog/52239) have noticed
> Slapper using UDP port 4156 today (and apparently yesterday as well
> as I can see from netflow logs).
>
> I've also noticed a Slapper variant apparently using UDP port 1978
> today as well (one of our hosts on which Slapper is no longer active
> is continuing to receive UDP packets to and from port 1978 from many
> Internet sites).
>
> H. Morrow Long
> University Information Security Officer
> Director, Information Security Office
> Yale University, ITS
>
>
>
> ---------------------------------------------------------------------------- 
>
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management and 
> tracking system please see: http://aris.securityfocus.com
>
>



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 08:27:58 PDT