On Wed, 23 Oct 2002, Griff Palmer wrote:
> I'm trying to learn more about how the Apache/mod_ssl worm variants operate.
>
> Last month chkrootkit discovered evidence of the Slapper worm on my RedHat
> 7.2 server. I found .bugtraq.c in my /tmp directory and eliminated it. I
> updated my openssl to 0.9.6g-1. I blocked port 443 on my firewall.
Did you relink all the software that does use openssl as well?
...
> I've blocked UDP packets on ports 1812 and 1813. (Looking at the CERT
> bulletin it looks as if I should also block 1978, 2002 and 4156.) I've
> commented out the listen 443 line in my httpd.conf file.
The only sane blocking rules are to block everything and open up those
port you must absolutely use. It seems you have not done so yet.
Hugo.
--
All email sent to me is bound to the rules described on my homepage.
hvdkooijat_private http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 12:43:41 PDT