just for your info regarding the new variant of slapper using differnt proc name in caase anyones interested.
fragga ----- Original Message ----- From: "Tom Sands" <[EMAIL PROTECTED]> To: "H. Morrow Long" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, September 23, 2002 10:22 AM Subject: Re: New variants of Slapper worm using UDP ports other than 2002today -- 1978 and 4156 -- (and they were apparently active yesterday as well) > Quick Cleanup of new variant: > > Quick details... The new worm is using httpd as it's process name... The > way to tell this apart would be with ps auwx. > > Look at the difference... > > [server@server1 tmp]$ ps auwx | grep httpd > root 893 0.0 2.9 49144 7428 ? S Sep20 0:02 > /usr/sbin/httpd -DHAVE_ACCESS -DHN > apache 5229 35.8 23.9 777676 60984 ? S Sep21 876:30 httpd > > apache 19017 0.0 2.9 49312 7636 ? S 04:02 0:00 > /usr/sbin/httpd -DHAVE_ACCESS -DHN > apache 19018 0.0 3.0 49308 7872 ? S 04:02 0:00 > /usr/sbin/httpd -DHAVE_ACCESS -DHN > apache 19019 0.0 2.9 49244 7624 ? S 04:02 0:00 > /usr/sbin/httpd -DHAVE_ACCESS -DHN > apache 19020 0.0 2.9 49280 7616 ? S 04:02 0:00 > /usr/sbin/httpd -DHAVE_ACCESS -DHN > apache 19021 0.0 3.0 49272 7724 ? S 04:02 0:00 > /usr/sbin/httpd -DHAVE_ACCESS -DHN > apache 19022 0.0 2.9 49248 7548 ? S 04:02 0:00 > /usr/sbin/httpd -DHAVE_ACCESS -DHN > apache 19023 0.0 3.0 49252 7752 ? S 04:02 0:00 > /usr/sbin/httpd -DHAVE_ACCESS -DHN > apache 19024 0.0 2.9 49216 7472 ? S 04:02 0:00 > /usr/sbin/httpd -DHAVE_ACCESS -DHN > apache 19325 0.0 3.4 728204 8736 ? S 04:24 0:00 httpd > > > Can you guess which ones don't belong there? > > If you guessed PID 5229 and 19325 you are correct. > > Please be on the lookout for a process named "update" running as the > apache user. This is a backdoor program. > > [server@server1 tmp]$ ps auwx | grep update | grep apache > apache 5231 0.0 0.1 1352 280 ? S Sep21 0:00 update > > apache 5441 0.0 0.1 1348 276 ? S Sep21 0:00 update > > apache 5595 0.0 0.1 1348 280 ? S Sep21 0:00 update > > > Quick clean up instructions (as root): > > 1. Locate and kill the worm process. > > netstat -anp | grep 4156 | grep -i UDP > pstree -p PID# > kill -9 > > 2. Locate and kill the backdoor process. > > ps -aux | grep update | grep apache > pstree -p PID# > kill -9 > > 3. Disable .unlock > > Cd /tmp > Chown root.root .unlock > Chmod 000 .unlock > > > > -- > Tom Sands > Chief Network Engineer > Rackspace Managed Hosting > (210)892-4000 > > > > > H. Morrow Long wrote: > > > Several (see http://diswww.mit.edu/charon/nanog/52239) have noticed > > Slapper using UDP port 4156 today (and apparently yesterday as well > > as I can see from netflow logs). > > > > I've also noticed a Slapper variant apparently using UDP port 1978 > > today as well (one of our hosts on which Slapper is no longer active > > is continuing to receive UDP packets to and from port 1978 from many > > Internet sites). > > > > H. Morrow Long > > University Information Security Officer > > Director, Information Security Office > > Yale University, ITS > > > > > > > > -------------------------------------------------------------------------- -- > > > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management and > > tracking system please see: http://aris.securityfocus.com > > > > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
