This is about a week old, but no one has posted it so far and someone posted it in another group so I'm just forwarding it. This only concerns those running Linux Apache with mod_ssl installed.
Den -----Original Message----- From: gary [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 10:07 AM To: [EMAIL PROTECTED] Subject: [PCExchange] news: Network savvy Linux Apache worm Slapper looks like the guy who made this slapper thing knew what he was doing.. gary 8) ============ Network savvy Linux Apache worm Slapper http://www.cnet.com/software/0-7760531-8-20418637-1.html By Robert Vamosi Worm uses own channel to set up a denial-of-service-attack network. (9/16/02) Slapper (Linux.Slapper.a) is a worm that attacks Linux servers running Apache with mod_ssl and uses a known vulnerability in the Secure Sockets Layer (SSL) handshake process. According to F-Secure, an antivirus-software company, the Apache service runs on more than 60 percent of the public Web sites, although only 10 percent of those have SSL enabled. Slapper is known to carry distributed-denial-of- service-attack (DDoS) and backdoor remote-access capabilities, allowing malicious users control of an infected system. Slapper only affects Linux installations running Red Hat, SuSE, Mandrake, Slackware, or Debian. It does not run on Windows or Mac. Compared with Code Red or Nimda, Slapper is currently rated as a low virus threat. How it works The Slapper worm first scans for potential systems to infect using an invalid HTTP GET request on port 80/tcp. When a system running Apache is located, Slapper attempts to send code to the SSL service on port 443/tcp. If successful, the newly infected machine compiles the code and begins scanning the Internet for another system to infect. A newly infected system will also initiate an open channel on post 2002/udp, linking it to other infected systems, forming a DDoS network. Infected systems can then share updated code or information. A malicious user could use such a network to target a popular Web site. By commanding the network of infected systems to ping one targeted Web site repeatedly, a malicious user could deny legitimate users access to that site. According to the security company, Internet Security Systems, the following Linux installations are vulnerable: Debian Linux, Apache 1.3.26 Red Hat Linux, Apache 1.3.6 Red Hat Linux, Apache 1.3.9 Red Hat Linux, Apache 1.3.12 Red Hat Linux, Apache 1.3.19 Red Hat Linux, Apache 1.3.20 Red Hat Linux, Apache 1.3.23 SuSE Linux, Apache 1.3.12 SuSE Linux, Apache 1.3.17 SuSE Linux, Apache 1.3.19 SuSE Linux, Apache 1.3.20 SuSE Linux, Apache 1.3.23 Mandrake Linux, Apache 1.3.14 Mandrake Linux, Apache 1.3.19 Mandrake Linux, Apache 1.3.20 Mandrake Linux, Apache 1.3.23 Slackware Linux, Apache 1.3.26 Gentoo Linux (Apache version undetermined) Infected Linux systems will have the following files: /temp/.bugtraq.c /temp/.bugtraq Prevention CERT recommends that all systems running OpenSSL review CA-2002-23 and VU#102795 for detailed vendor recommendations regarding patches. The vulnerability exploited by the Apache/mod_ssl worm has been fixed as of OpenSSL version 0.9.6e. Currently, the latest version of OpenSSL is 0.9.6g. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Sell a Home with Ease! http://us.click.yahoo.com/SrPZMC/kTmEAA/MVfIAA/CFFolB/TM ---------------------------------------------------------------------~-> <---------------------------------> Linux CDs delivered to your door! Order from http://pc.exchange.ph today! <---------------------------------> Options Unsubscribe: [EMAIL PROTECTED] Switch to web: [EMAIL PROTECTED] Switch to digest: [EMAIL PROTECTED] Switch to single messages: [EMAIL PROTECTED] Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
