[Techtalk] "Slapper" worm targeting Linux/Apache servers

Raven Brooke linuxchiq at linuxchiq.com
Fri Sep 20 11:39:28 EST 2002 


***IMPORTANT note regarding this patch:

A *reboot* is required in order for this patch to work. Having just 
rebuilt a server that was infected by slapper after the patch was applied 
but the box not rebooted, I can testify that this is indeed the case.

Cheers,

Raven

On Fri, 20 Sep 2002, Grrliegeek wrote:

> I hadn't seen this mentioned yet on either list I'm posting it to. This is 
> going to techtalk and the Austin Linux Group. There is a worm going around 
> that's targeting apache servers using a vulnerability discovered in July 
> (which I think was patched and a new version of apache that is not vulnerable 
> is out there).
> 
> In a thread on linuxchix about security and why it's not always as up to date 
> as ideal, someone mentioned that they hadn't patched their (apache?) server 
> because they had other things they wanted to accomplish with the server 
> first. I think that due to the widespread nature of this worm, making sure 
> apache is up to snuff is of importance.
> 
> For more information:
> http://www.msnbc.com/news/808678.asp?0dm=C16KT
> http://online.securityfocus.com/news/662
> 
> >From the latter url, story dated 9/16/02:
> Slapper exploits a previously-disclosed OpenSSL vulnerability, to create an 
> attack platform for distributed denial-of-service (DDoS) attacks against 
> other sites. The worm also has backdoor functionality, according to, security 
> tools vendor ISS. It describes the malicious code as a variation of the much 
> less virulent Apache "Scalper" BSD worm.
> 
> The OpenSSL server vulnerability exploit exists on a wide variety of 
> platforms, but Slapper appears to work only on Linux systems running Apache 
> with the OpenSSL module (mod_ssl) on Intel architectures.
> 
> The Slapper worm was first seen on Friday the 13th. Since then it has infected 
> thousands of web servers around the world and continues to spread. By late 
> last night 6,000 servers were infected with the worm, according to AV vendors 
> F-Secure. 
> 
> Syleniel
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
> 

-- 
SELECT * FROM users WHERE clue > 0
0 rows returned.

More information about the Techtalk mailing list