Quick Cleanup of new variant: Quick details... The new worm is using httpd as it's process name... The way to tell this apart would be with ps auwx. Look at the difference... [server@server1 tmp]$ ps auwx | grep httpd root 893 0.0 2.9 49144 7428 ? S Sep20 0:02 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 5229 35.8 23.9 777676 60984 ? S Sep21 876:30 httpd apache 19017 0.0 2.9 49312 7636 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19018 0.0 3.0 49308 7872 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19019 0.0 2.9 49244 7624 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19020 0.0 2.9 49280 7616 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19021 0.0 3.0 49272 7724 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19022 0.0 2.9 49248 7548 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19023 0.0 3.0 49252 7752 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19024 0.0 2.9 49216 7472 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19325 0.0 3.4 728204 8736 ? S 04:24 0:00 httpd Can you guess which ones don't belong there? If you guessed PID 5229 and 19325 you are correct. Please be on the lookout for a process named "update" running as the apache user. This is a backdoor program. [server@server1 tmp]$ ps auwx | grep update | grep apache apache 5231 0.0 0.1 1352 280 ? S Sep21 0:00 update apache 5441 0.0 0.1 1348 276 ? S Sep21 0:00 update apache 5595 0.0 0.1 1348 280 ? S Sep21 0:00 update Quick clean up instructions (as root): 1. Locate and kill the worm process. netstat -anp | grep 4156 | grep -i UDP pstree -p PID# kill -9 2. Locate and kill the backdoor process. ps -aux | grep update | grep apache pstree -p PID# kill -9 3. Disable .unlock Cd /tmp Chown root.root .unlock Chmod 000 .unlock -- Tom Sands Chief Network Engineer Rackspace Managed Hosting (210)892-4000 H. Morrow Long wrote: > Several (see http://diswww.mit.edu/charon/nanog/52239) have noticed > Slapper using UDP port 4156 today (and apparently yesterday as well > as I can see from netflow logs). > > I've also noticed a Slapper variant apparently using UDP port 1978 > today as well (one of our hosts on which Slapper is no longer active > is continuing to receive UDP packets to and from port 1978 from many > Internet sites). > > H. Morrow Long > University Information Security Officer > Director, Information Security Office > Yale University, ITS > > > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management and > tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 08:27:58 PDT