Re: slapper worm

2006-01-24 Thread Peter J. Holzer
On 2006-01-24 08:46:24 +1000, Michael Mansour wrote: More generally, I read advice somewhere that mounting /tmp with the noexec option (and making any other temp directories symbolic links to that one) can make this type of attack much more difficult. This doesn't really prevent execution

Re: slapper worm

2006-01-24 Thread Michael Mansour
Hi Peter, On 2006-01-24 08:46:24 +1000, Michael Mansour wrote: More generally, I read advice somewhere that mounting /tmp with the noexec option (and making any other temp directories symbolic links to that one) can make this type of attack much more difficult. This doesn't really

Re: slapper worm

2006-01-24 Thread Peter J. Holzer
On 2006-01-24 22:13:26 +1000, Michael Mansour wrote: Hi Peter, On 2006-01-24 08:46:24 +1000, Michael Mansour wrote: Definately noted as one of the measures to stop this type of attack, but for this particular server, /tmp is not a mounted filesystem but part of /, so I can't

Re: slapper worm

2006-01-24 Thread Jason Edgecombe
Michael Mansour wrote: Hi Marc, On Tue, 2006-01-24 at 08:42 +1000, Michael Mansour wrote: No I'm not sure. Reading through the link above, it does seem that you've hit the nail on the head with this one. I have two other FC1 machines and they weren't affected by Slapper (even when

Re: slapper worm

2006-01-24 Thread James Kosin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesse Keating wrote: On Mon, 2006-01-23 at 17:11 -0500, James Kosin wrote: My version takes care of the mod_ssl issue he already disabled. FC1 doesn't have a fix or if so it hasn't gone through QA yet. Do you have a CVE for the ssl issue? I'd

Re: slapper worm

2006-01-24 Thread Mike McCarty
James Kosin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesse Keating wrote: On Mon, 2006-01-23 at 17:11 -0500, James Kosin wrote: My version takes care of the mod_ssl issue he already disabled. FC1 doesn't have a fix or if so it hasn't gone through QA yet. Do you have a CVE

Re: slapper worm

2006-01-24 Thread Mike Klinke
On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and variations of it) haven't all been stamped out years ago? Read the link I posted yesterday,

Re: slapper worm

2006-01-24 Thread G. Roderick Singleton
On Tue, 2006-01-24 at 13:20 -0600, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and variations of it) haven't all been

Re: slapper worm

2006-01-24 Thread Mike McCarty
Mike McCarty wrote: Gene Heskett wrote: On Tuesday 24 January 2006 14:20, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and

Re: slapper worm

2006-01-24 Thread James Kosin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike McCarty wrote: --snip-- $ ps -A | grep pache $ ps -A | grep ssl doesn't show anything, so Apache isn't running, and I guess SSL isn't either. Mike Mike, ps -A | grep httpd /* Apache is only the name of the server

Re: slapper worm

2006-01-24 Thread Michael Mansour
Hi Mike, You should do a netstat -na | grep SYN, if you see alot of those then slapper is there DOS attacking people. $ netstat -na | grep SYN $ Thanks for the advice. But, as I am behind a stealth firewall, I feel relatively secured against *this* type of attack. Umm, what does

Re: slapper worm

2006-01-24 Thread Mike Klinke
On Tuesday 24 January 2006 14:00, Gene Heskett wrote: If this file mentioned on the site doesn't exist on any of my systems, is it safe to assume relative safety against this attack? As Michael Mansour discovered, he had this file on only one of three FC1 machines after he installed Drupal,

Fedora Legacy Test Update Notification: gaim

2006-01-24 Thread Marc Deslauriers
- Fedora Legacy Test Update Notification FEDORALEGACY-2005-158543 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158543 2006-01-24 - Name:

Re: slapper worm

2006-01-24 Thread kles koe
that's a coincidence... just today when i checked the apache server-status page i notice that some host was scanning several sites randomly trying to find a xmlrpc.php in different apparently pre defined locations. i was aware of the xmlrpc bug in pear and already checked if it was on my

Re: slapper worm

2006-01-24 Thread Gene Heskett
On Tuesday 24 January 2006 15:18, Mike McCarty wrote: Gene Heskett wrote: On Tuesday 24 January 2006 14:20, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why

Re: slapper worm

2006-01-24 Thread Gene Heskett
On Tuesday 24 January 2006 15:29, Mike McCarty wrote: Mike McCarty wrote: Gene Heskett wrote: On Tuesday 24 January 2006 14:20, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper