[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Linux Slapper worm - New variants ?


>> ... possible Linux slapper worm activity on one of our Linux servers ... <<

I had slapper A on a web server briefly. So I'll pass along what little I know.

I say briefly because a power outage had caused a server restart. When I got there to install the software updates, I had all the signs of slapper, but it wasn't running.

I found these files on the server:
and deleted them.

But, the command:
fuser -n udp 2002
did not find a process on the slapper a port; apparently the result of the power outage.

I now routinely use:
    nmap -sU -p 1-65355 -P0 xxx.xxx.xxx.xxx
    nmap -p 1-65355 -P0 xxx.xxx.xxx.xxx
to look for incorrectly open ports.

And I use netwatch to look at traffic in real time. What I see recently is very little UDP 2002 activity, but fairly regular UDP 1812 traffic. Netwatch also shows me that my server is not replying to these packets.

If there's a new variant, I'm not aware of it.

I hope that helps,

Cliff Kent

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]