On Wed, Sep 18, 2002 at 03:53:17PM +1000, Peter Rundle wrote:
> I have a friend who's network connection is being hammered by
> UDP inbound requests on port 2002. From what I can read this
> is the slapper worm. The machine is dropping the packets with
> iptables but the connection is flooded (DOS).
Have him contact his ISP and ask them to block udp port 2002 at their
end.
> Googled around for info, realise that the ssl has to be patched
> but nothing tells me how to test if the box is infected itself,
A recent post to bugtraq included the worm's source, which includes this
fragment:
sprintf(rcv,"/usr/bin/uudecode -o /tmp/.bugtraq.c /tmp/.uubugtraq; \
gcc -o /tmp/.bugtraq /tmp/.bugtraq.c -lcrypto;/tmp/.bugtraq \
%s; exit;\n",localip);
So have a look for a file called `/tmp/.bugtraq'.
More info available here:
http://analyzer.securityfocus.com/alerts/020913-Alert-Apache-mod_ssl-Exploit.pdf
http://analyzer.securityfocus.com/alerts/020916-Analysis-Modap.pdf
Cheers,
John
--
whois [EMAIL PROTECTED]
GPG key id: 0xD59C360F
http://kirriwa.net/john/
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
