[CTS] Re: LINUX WORM SLAPS APACHE WEB ADMINS

• From: "Russ Blakeman" <rhb57@xxxxxxx>
• To: <computertalkshop@xxxxxxxxxxxxx>
• Date: Mon, 16 Sep 2002 17:58:18 -0500

Man the things I could do with an anonymous rerouted email addy and a copy
of that attachment locally...(I can dream can't I??)

-> -----Original Message-----
-> From: computertalkshop-bounce@xxxxxxxxxxxxx
-> [mailto:computertalkshop-bounce@xxxxxxxxxxxxx]On Behalf Of Charles R.
-> Buchanan
-> Sent: Monday, September 16, 2002 4:45 PM
-> To: Computertalk Mailing List
-> Subject: [CTS] LINUX WORM SLAPS APACHE WEB ADMINS
->
->
->
-> VIRUS ALERT
->
->
-> SLAPPER:
-> LINUX WORM SLAPS APACHE WEB ADMINS
->
->
-> DATE:
-> September 16, 2002
->
->
->
->
-> Some URLs in the article below may wrap to a second line. When that
-> occurs, clicking on them does not work. To follow a multi-line link,
-> please copy and paste its parts into your browser's address window
-> to reassemble it into a working URL. For an easier-to-read HTML
-> version of this article with live links, go to:
-> https://www3.watchguard.com/archive/showhtml.asp?pack=135184
->
-> ---------------------------------------------------------------
->
->
-> ABOUT THE VIRUS
->
-> Discovered September 13, Slapper is a new Linux-based worm that
-> takes advantage of past OpenSSL vulnerabilities described in our
-> July 30 Information Alert
-> <https://www3.watchguard.com/archive/showhtml.asp?pack=135151>.
-> Slapper is not your normal e-mail-based worm. Rather, it targets
-> Linux Apache servers, the most popular Web servers on the Internet,
-> and creates what could best be described as a peer-to-peer network
-> of zombie servers that the virus author can use in Distributed
-> Denial of Service (DDoS) attacks.
->
-> Slapper had already infected over 3500 servers when Symantec posted
-> this advisory:
-> <http://securityresponse.symantec.com/avcenter/venc/data/linux.sl
-> apper.worm
-> .html>.
-> A report from F-Secure
-> <http://www.internetwk.com/security02/INW20020916S0001>
-> updated Monday morning stated 11,200 systems had been infected,
-> indicating that the worm is spreading rapidly. An advisory
-> <http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21130>
-> from Internet Security Systems (ISS) reports that the DDoS features
-> of the worm have already been used to attack and disable high-
-> profile targets.
->
-> Slapper begins its attack looking for Web servers by scanning ranges
-> of IP addresses on TCP port 80. When it finds a Web server, the worm
-> sends a purposely invalid HTTP GET request, hoping that the Web
-> server will reply with an error message. The error message tells
-> Slapper whether or not it has found a susceptible Apache server.
->
-> When Slapper finds a vulnerable server, it then sends a specially-
-> crafted, overly-long string to the server on the SSL port (TCP 443).
-> If you have not patched your server for the OpenSSL vulnerability,
-> Slapper gains root access using this exploit. Then it copies itself
-> to your machine as source code (/tmp/.bugtraq.c), and compiles
-> itself locally (/tmp/.bugtraq). Uploading itself as source rather
-> than as an executable helps the worm ensure stability regardless of
-> which flavor of Linux it encounters. Once Slapper has infected your
-> server, it starts scanning for more vulnerable servers on the
-> Internet and repeats the infection process.
->
-> Besides spreading itself, Slapper also installs something like a
-> peer-to-peer service on your server, listening on UDP port 2002. The
-> virus author can send commands to this port to do the following:
->
-> * Execute code on your server
-> * Execute both TCP and TCP IPv6 flood attacks
-> * Execute UDP flood attacks
-> * Execute DNS flood attacks
-> * Search your machine for all its stored e-mail addresses
-> * Send messages to other zombie machines in Slapper's peer-to-
->   peer network
->
-> In short, once Slapper has infected your machine the virus author
-> gains total control and can use your server in DDoS attacks.
->
->
-> WHAT YOU CAN DO
->
-> This is not an email-borne worm. Slapper only attacks Linux-based,
-> Apache Web servers. If you use a Linux Apache server and followed
-> the advice in our July 30 Information Alert
-> <https://www3.watchguard.com/archive/showhtml.asp?pack=135151>,
-> you're not vulnerable to Slapper infection. Otherwise, upgrade to
-> the latest version of OpenSSL immediately.
->
-> Administrators can also mitigate the chance of infection by
-> disabling Apache's SSL features if not used. Refer to the directions
-> in the "Recommendations" section of ISS's advisory for details
-> <http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oi
d=21130>..

Finally, most anti-virus vendors have released engine updates to
detect Slapper. Administrators should contact their anti-virus
vendor for the latest virus definitions.


-- Suggestions for SOHO and Firebox users

Slapper infects using normal Web and Secure Web traffic. If you have
a secure Web server, you must allow this traffic for clients to
access your Web site. Therefore, the solutions above are your
primary recourse. However, both the SOHO and Firebox deny incoming
UDP port 2002 by default. As long as you have not added a custom
service allowing this port, an attacker cannot use your Web server
in a DDoS attack based on a Slapper infection.


-- Suggestions for ServerLock and AppsLock/Web users

Currently, Slapper only works on Linux machines, and thus would not
affect servers protected by ServerLock. However, Slapper is a
variant of a previous worm and, like most Linux applications, is
easily modified. If a variant of Slapper emerges which works on
Solaris or Windows machines, we will alert you. In any case,
ServerLock prevents your critical files from being damaged by
Slapper or any other worm. ##


Credits: this alert researched and written by Corey Nachreiner.
---
Look OUT you varmits, This msg is  Virus Free!
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.386 / Virus Database: 218 - Release Date: 9/9/2002


---------------------------------------------------------------------------
-----
Computer Talk Shop http://www.computertalkshop.com
Un-subscribe/Vacation, http://szaroconsulting.com/cts/list_options.htm

List HowTo: http://szaroconsulting.com/cts/faq

To join Computer Talk Shop's off topic list, please goto:
http://szaroconsulting.com/cts/other_cts_lists.htm
---------------------------------------------------------------------------
------

---------------------------------------------------------------------------
-----
Computer Talk Shop http://www.computertalkshop.com
Un-subscribe/Vacation, http://szaroconsulting.com/cts/list_options.htm

List HowTo: http://szaroconsulting.com/cts/faq

To join Computer Talk Shop's off topic list, please goto:
http://szaroconsulting.com/cts/other_cts_lists.htm
---------------------------------------------------------------------------
------

• References:
  • [CTS] LINUX WORM SLAPS APACHE WEB ADMINS
    • From: Charles R. Buchanan

Other related posts:

• » [CTS] LINUX WORM SLAPS APACHE WEB ADMINS
• » [CTS] Re: LINUX WORM SLAPS APACHE WEB ADMINS

1. Home
2. computertalkshop
3. Archive
4. 09-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---