[Dshield] Linux.slapper variant

Roger RShady at stny.rr.com
Tue Sep 24 15:17:06 GMT 2002

This is what Symantec has to say about "Slapper" in its newsletter:
*Apache_mod_ssl Worm


13th Sep 2002   



*Platforms Affected
*Components Affected*
Red-Hat: Apache 1.3.6, 1 3 9, 1.3.12, 1.3.19, 1.3 20, 1.3 22, 1.3 23, 
1.3.26 .
SuSe: Apache 1.3.12, 1.3 17, 1.3 19, 1.3.20, 1.3 23 .
Mandrake: Apache 1.3 14, 1.3.19, 1.3.20, 1.3 23 .
Slackware: Apache 1.3 26 .
Debian: Apache 1.3.26
*The Symantec DeepSight Threat Analyst Team has learned of the existence 
of a new exploit for the OpenSSL SSLv2 Malformed Client Key Remote 
Buffer Overflow vulnerability, targeting Apache Web servers hosted on 
various Linux platforms.

This also includes a number of peer-to-peer capabilities, which allow it 
to communicate with other clients, and participate in a Distributed 
Denial of Service (DDoS) network. To perform these activities, the 
exploit code listens on UDP port 2002.

The exploit further exhibits worm behavior in that indications are that, 
once it is setup, it scans and attempts to propagate by infecting other 
vulnerable systems. It is confirmed through various sources that this 
worm is in the wild and actively attacking other servers. Over 3500 IP 
addresses have been recorded as being the source of scanning and 
associated activity, according to DeepSight Threat Management System 
data and other sources.
The exploit code analysed by the Symantec DeepSight Threat Analyst Team 
targets the Apache Web server on a number of Linux operating system 
distributions, including versions of RedHat, Slackware, Debian, SuSE, 
and Mandrake. By sending a malformed client key, the exploit opens a 
shell on the client machine, which is then used to upload the exploit 
source code in a uuencoded format. Using the same shell, it then 
uudecodes and compiles the source and runs it with an IP address as a 
parameter. Once certain pre-conditions are met, the exploit appears to 
scan and target vulnerable machines.
*The worm can be killed using the Unix "kill" command, using the process 
id of the ".bugtraq process". The following three files can also be removed:


Only the "/tmp/.bugtraq" file contains an executable binary of the worm. 
There does not appear to be any instructions allowing the worm to 
restart in the event of a system reset.

NOTE: If you suspect that a system has been compromised, isolate the 
infected system(s) quickly to prevent further compromise of enterprise 
systems. Perform forensic analysis and restore the system from trusted 
*Symantec would like to thank Fernado Nunes for providing a copy of 
exploit code for analysis

David Kennedy CISSP wrote:

>At 08:11 AM 9/24/02 +0200, Jesper Langkjær wrote:
>>Last night I was attacked with what seems to be a variant of the
>There are, at least, two newer variants.
>The best technical description I've see so far is:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020924/4cf4725b/attachment.htm

More information about the list mailing list