On Wed, 18 Sep 2002, Tim White wrote: > To quote from the CERT advisory CA-2002-27 > http://www.cert.org/advisories/CA-2002-27.html: > > "Identifying infected hosts > > Reports indicate that the Apache/mod_ssl worm's source code is placed > in /tmp/.bugtraq.c on infected systems. It is compiled with gcc, > resulting in the executable binary being stored at /tmp/.bugtraq; > therefore, presence of any of the following files on Linux systems > running Apache with OpenSSL is indicative of compromise. > > /tmp/.bugtraq.c > /tmp/.bugtraq
I have found it on one of my sites as /tmp/.uubugtraq which I assume is the distributed form. This box did not have the sharutils rpm so did not have uudecode and consequently the attack was not able to extract the /tmp/.bugtraq.c source. The latest RH rpm I can find is openssl-0.9.6b Is this the correct one to upgrade to or is there a later rpm somewhere? -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com "Flatter government, not fatter government." - me Get rid of the Australian states. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
