-----Original Message-----**************************************************************************
From: Pradeep_Dany
Sent: Wednesday, September 25, 2002 11:50 AM
To: SIG_Linux
Cc: Antivirus_Admin (Global)
Subject: Apache_mod_ssl Worm
Importance: High
FYI
Regards
Pradeep
-----Original Message-----
From: David Banes [<mailto:sarc@xxxxxxxxxxxx>]
Sent: Monday, September 23, 2002 10:10 AM
To: SARC-L@xxxxxxxxxxxxxxxxxxxx
Subject: Symantec Security Response - September 2002 Newsletter
Viruses, Worms & Trojans
--------------------------------------------------------------------------
------------------------------
Apache_mod_ssl Worm Risk:High
(Linux.Slapper.Worm)
Platforms Affected - Linux
Components Affected
- Red-Hat: Apache 1.3.6, 1 3 9, 1.3.12, 1.3.19, 1.3 20, 1.3 22, 1.3 23,
1.3.26 .
- SuSe: Apache 1.3.12, 1.3 17, 1.3 19, 1.3.20, 1.3 23 .
- Mandrake: Apache 1.3 14, 1.3.19, 1.3.20, 1.3 23 .
- Slackware: Apache 1.3 26 .
- Debian: Apache 1.3.26
Overview
The Symantec DeepSight Threat Analyst Team has learned of the existence of
a new exploit for the OpenSSL SSLv2 Malformed Client Key Remote Buffer
Overflow vulnerability, targeting Apache Web servers hosted on various
Linux platforms.
This also includes a number of peer-to-peer capabilities, which allow it
to communicate with other clients, and participate in a Distributed Denial
of Service (DDoS) network. To perform these activities, the exploit code
listens on UDP port 2002.
The exploit further exhibits worm behavior in that indications are that,
once it is setup, it scans and attempts to propagate by infecting other
vulnerable systems. It is confirmed through various sources that this worm
is in the wild and actively attacking other servers. Over 3500 IP
addresses have been recorded as being the source of scanning and
associated activity, according to DeepSight Threat Management System data
and other sources.
Description
The exploit code analysed by the Symantec DeepSight Threat Analyst Team
targets the Apache Web server on a number of Linux operating system
distributions, including versions of RedHat, Slackware, Debian, SuSE, and
Mandrake. By sending a malformed client key, the exploit opens a shell on
the client machine, which is then used to upload the exploit source code
in a uuencoded format. Using the same shell, it then uudecodes and
compiles the source and runs it with an IP address as a parameter. Once
certain pre-conditions are met, the exploit appears to scan and target
vulnerable machines.
Recommendations
The worm can be killed using the Unix "kill" command, using the process id
of the ".bugtraq process". The following three files can also be removed:
/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/.bugtraq
Only the "/tmp/.bugtraq" file contains an executable binary of the worm.
There does not appear to be any instructions allowing the worm to restart
in the event of a system reset.
NOTE: If you suspect that a system has been compromised, isolate the
infected system(s) quickly to prevent further compromise of enterprise
systems. Perform forensic analysis and restore the system from trusted
media.
References
<http://securityresponse.symantec.com/avcenter/security/Content/2002.09.13
.html>