Possible Slapper Warm found
Hi there,
After running today chkrootkit I have found in reports:
"Checking `slapper'... Warning: Possible Slapper Worm installed "
I have checked for the worm files within /tmp - did not find any... Also, I have followed remowal instruction provided here: http://bvlive01.iss.net/issEn/delive...sp?oid=21184.. Also, it did not help... Chrootkit still reports Slapper.
I have also rebuild Apache and restarted box - did not help.
Please help - any input will be appritiated.
Regards,
cretu
Re: Possible Slapper Warm found
I am no expert, but I will try to help. I have had this a couple of times.
First, make sure you have the latest chkrootkit (0.43)
Then run it, 2, 3, maybe 4 times in a row.
Usually, this will make the warning go away.
Then, run ./scripts/findtrojans
This will make sure there was no trojans got installed with slapper.
(This program will list several "posssible" trojans, but look for any suspecious files, there is topics in this forum that will tell you what to look for)
I'm sure some of the pro's have some more ideas, but this has worked for me in the past.
Also, make sure you patch your box to prevent this from happening again.
Tim
Originally posted by cretu
Hi there,
After running today chkrootkit I have found in reports:
"Checking `slapper'... Warning: Possible Slapper Worm installed "
I have checked for the worm files within /tmp - did not find any... Also, I have followed remowal instruction provided here: http://bvlive01.iss.net/issEn/delive...sp?oid=21184.. Also, it did not help... Chrootkit still reports Slapper.
I have also rebuild Apache and restarted box - did not help.
Please help - any input will be appritiated.
Regards,
cretu
Hi there,
I have managed to find out account of user who installed this worm so I have terminated him.
However, I have found slapper again, on another box and also found the binary for it on account of user who is very trustwhorthy. Anyway, I have terminated him as well.
Question: I have secured /tmp directory on each box making it non-executable, yet, still I could found out that last slapper was running from /tmp as "http" (file was actually called that). Also, I have php open_basedir Protection anabled...
What other measure should I take against such attacks and possible worms?
Regards,
Cretu
Slapper
How did you find the binary? How did you make sure the system was clean?
Thanks
Slapper
How did you find the binary? How did you make sure the system was clean?
Thanks
LinkBack URL
About LinkBacks
Reply With Quote