slapper worm
Michael Mansour
mic at npgx.com.au
Tue Jan 24 20:42:05 UTC 2006
Hi Mike,
> Gene Heskett wrote:
> > On Tuesday 24 January 2006 14:20, Mike Klinke wrote:
> >
> >>On Tuesday 24 January 2006 13:08, Mike McCarty wrote:
> >>
> >>>I'm a little shocked at this, frankly. I Googled around, and
> >>>found mentions of the Slapper going back to 2002. Why is it that
> >>>this exploit (and variations of it) haven't all been stamped
> >>>out years ago?
> >>
> >>Read the link I posted yesterday, according to them, it's been
> >>rewritten to exploit new ways to get in to your box.
> >>
> >>http://www.lurhq.com/slapperv2.html
> >>
> >
> > If this file mentioned on the site doesn't exist on any of my systems,
> > is it safe to assume relative safety against this attack?
> >
> > I would think so when combined with the ISP's (vz) blocking of port 80,
> > but what do I know... Thats why I asked, Mike.
>
> I suppose you mean "Mike Klinke" and not "Mike McCarty" :-)
>
> I dunno. I just ran
>
> # find / -nmae xmlrpc.php -print
You should be able to use "locate" for speed in searching, prior to that you
may run "updatedb&" to update the slocate database.
> and didn't come up with anything. But that's expected, since
> I run behind a router set up as a firewall, completely stealth
> except for the e-mail challenge port (which is closed). A
>
> $ ps -A | grep pache
I think you would need to look for the "http" process.
> $ ps -A | grep ssl
You should do a "netstat -na | grep SYN", if you see alot of those then
slapper is there DOS attacking people.
Michael.
> doesn't show anything, so Apache isn't running, and I guess
> SSL isn't either.
>
> Mike
More information about the fedora-legacy-list
mailing list