>> ... possible Linux slapper worm activity on one of our Linux servers ... <<
I had slapper A on a web server briefly. So I'll pass along what little I know.
I say briefly because a power outage had caused a server restart. When I got there to install the software updates, I had all the signs of slapper, but it wasn't running.
I found these files on the server:
/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/.bugtraq
and deleted them.But, the command:
fuser -n udp 2002
did not find a process on the slapper a port; apparently the result of the power outage.
I now routinely use:
nmap -sU -p 1-65355 -P0 xxx.xxx.xxx.xxx
and
nmap -p 1-65355 -P0 xxx.xxx.xxx.xxx
to look for incorrectly open ports.And I use netwatch to look at traffic in real time. What I see recently is very little UDP 2002 activity, but fairly regular UDP 1812 traffic. Netwatch also shows me that my server is not replying to these packets.
If there's a new variant, I'm not aware of it.
I hope that helps,
Cliff Kent
-- Psyche-list mailing list Psyche-list@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/psyche-list
