Slapper questions

From: Griff Palmer (griffjoat_private)
Date: Wed Oct 23 2002 - 12:42:41 PDT

Next message: Jérôme Tytgat: "Re: Invalid IP address"

Previous message: Gary Flynn: "Re: Unusual ICMP Traffic"
Next in thread: Stephen Smoogen: "Re: Slapper questions"
Reply: Stephen Smoogen: "Re: Slapper questions"
Reply: Hugo van der Kooij: "Re: Slapper questions"
Reply: Cian Whalley: "Re: Slapper questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello:

I'm trying to learn more about how the Apache/mod_ssl worm variants operate.

Last month chkrootkit discovered evidence of the Slapper worm on my RedHat 
7.2 server. I found .bugtraq.c in my /tmp directory and eliminated it. I 
updated my openssl to 0.9.6g-1. I blocked port 443 on my firewall.

I keep my ftp daemon stopped except for occasional short periods when I need 
to use it. I've been leaving port 23 open and making my ssh host listen on 
port 23. (My employer's firewall blocks traffic on port 22, forcing me to go 
to the port 23 setup.)

Regular scans with chkrootkit since then have shown no signs of the slapper 
worm's presence. 

This morning I received an e-mail bounce from cinik_wormat_private 
(apparently Yahoo has disabled that address). A search on cinik led me to the 
latest CERT bulletin, which showed information about the slapper B and C 
variants.

After reading the bulletin I discovered the presence of cinik.c and cinik.go 
in my /tmp directory, which I eliminated.

I also discovered an active .bugtraq process on my machine and killed it.

I've blocked UDP packets on ports 1812 and 1813. (Looking at the CERT 
bulletin it looks as if I should also block 1978, 2002 and 4156.) I've 
commented out the listen 443 line in my httpd.conf file.

At this point I'm confused about the mechanics of the infection process and 
about what further steps I may need to take to fully eliminate infection and 
harden my server.

Is Port 23 an avenue of infection? Does upgrading to openssl-0.9.6g-1 not 
eliminate vulnerability to compromise? Is it possible that I missed the 
C-variant code when I discovered the .bugtraq code, and that the C variant 
code has lingered on my machine since then? I'm using chkrootkit-0.37. Is it 
able to detect the B and C variants as well as A variants? 

I've run ps on my machine many times since chkrootkit discovered the Slapper 
A variant. Those checks showed no presence of the .bugtraq process. (I even 
downloaded and installed new system binaries in case any of those had been 
subverted.)

The .bugtraq process showed up after I upgraded my kernel this morning. Is it 
possible that my earlier kernel had been compromised and that the .bugtraq 
process was being hidden?

Any advice appreciated.

							Griff Palmer

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jérôme Tytgat: "Re: Invalid IP address"
Previous message: Gary Flynn: "Re: Unusual ICMP Traffic"
Next in thread: Stephen Smoogen: "Re: Slapper questions"
Reply: Stephen Smoogen: "Re: Slapper questions"
Reply: Hugo van der Kooij: "Re: Slapper questions"
Reply: Cian Whalley: "Re: Slapper questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 16:00:21 PDT