[Dshield] Linux.slapper variant
RShady at stny.rr.com
Tue Sep 24 15:17:06 GMT 2002
This is what Symantec has to say about "Slapper" in its newsletter:
13th Sep 2002
Red-Hat: Apache 1.3.6, 1 3 9, 1.3.12, 1.3.19, 1.3 20, 1.3 22, 1.3 23,
SuSe: Apache 1.3.12, 1.3 17, 1.3 19, 1.3.20, 1.3 23 .
Mandrake: Apache 1.3 14, 1.3.19, 1.3.20, 1.3 23 .
Slackware: Apache 1.3 26 .
Debian: Apache 1.3.26
*The Symantec DeepSight Threat Analyst Team has learned of the existence
of a new exploit for the OpenSSL SSLv2 Malformed Client Key Remote
Buffer Overflow vulnerability, targeting Apache Web servers hosted on
various Linux platforms.
This also includes a number of peer-to-peer capabilities, which allow it
to communicate with other clients, and participate in a Distributed
Denial of Service (DDoS) network. To perform these activities, the
exploit code listens on UDP port 2002.
The exploit further exhibits worm behavior in that indications are that,
once it is setup, it scans and attempts to propagate by infecting other
vulnerable systems. It is confirmed through various sources that this
worm is in the wild and actively attacking other servers. Over 3500 IP
addresses have been recorded as being the source of scanning and
associated activity, according to DeepSight Threat Management System
data and other sources.
The exploit code analysed by the Symantec DeepSight Threat Analyst Team
targets the Apache Web server on a number of Linux operating system
distributions, including versions of RedHat, Slackware, Debian, SuSE,
and Mandrake. By sending a malformed client key, the exploit opens a
shell on the client machine, which is then used to upload the exploit
source code in a uuencoded format. Using the same shell, it then
uudecodes and compiles the source and runs it with an IP address as a
parameter. Once certain pre-conditions are met, the exploit appears to
scan and target vulnerable machines.
*The worm can be killed using the Unix "kill" command, using the process
id of the ".bugtraq process". The following three files can also be removed:
Only the "/tmp/.bugtraq" file contains an executable binary of the worm.
There does not appear to be any instructions allowing the worm to
restart in the event of a system reset.
NOTE: If you suspect that a system has been compromised, isolate the
infected system(s) quickly to prevent further compromise of enterprise
systems. Perform forensic analysis and restore the system from trusted
*Symantec would like to thank Fernado Nunes for providing a copy of
exploit code for analysis
David Kennedy CISSP wrote:
>At 08:11 AM 9/24/02 +0200, Jesper Langkjær wrote:
>>Last night I was attacked with what seems to be a variant of the
>There are, at least, two newer variants.
>The best technical description I've see so far is:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the list