Scalper Worm

**MikeMc** · 07-01-2003 04:35 AM

chkrootkit (installed today - latest version) gives me this warning : Checking `scalper'... Warning: Possible Scalper Worm installed

I have RH 7.3, apache 1.3.27 and 0.9.6b OpenSSL. I want to believe that I'm secure with the above software and even if the worm exists..the vulnerability should not exist anymore with the above versions. But on this maybe I'm totally wrong. Could you indicate me some steps in order to confirm the chkrottkit's warning?

Another info I can provide (if it's useful) ..is that /tmp has no strange files in it.

Thank you.

cPanel.net Support Ticket Number:

**shaun** · 07-03-2003 04:55 AM

Delete the files, /tmp/.uua or /tmp/.a if they exist.

cPanel.net Support Ticket Number:

**shaun** · 07-03-2003 04:57 AM

also kill any process's that are running under those names.

cPanel.net Support Ticket Number:

**MikeMc** · 07-03-2003 05:11 AM

Thanks for your reply shaun.
There are no files with these names and no processes related to these files.

If you have any other suggestions, I'll be glad to hear them.
Thanks again.

cPanel.net Support Ticket Number:

**shaun** · 07-03-2003 01:49 PM

do a search on google for scalper removal

cPanel.net Support Ticket Number:

**rpmws** · 07-03-2003 03:12 PM

I run cckrootkit every 3 hours and this morning for first time on 4 boxes:

Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 2 process hidden for readdir command
You have 2 process hidden for ps command
Warning: Possible LKM Trojan installed

all 4 at same time. anyone else get this now all of a sudden?

cPanel.net Support Ticket Number:

**rpmws** · 07-03-2003 03:14 PM

Originally posted by rpmws
I run cckrootkit every 3 hours and this morning for first time on 4 boxes:

Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 2 process hidden for readdir command
You have 2 process hidden for ps command
Warning: Possible LKM Trojan installed

all 4 at same time. anyone else get this now all of a sudden?

cPanel.net Support Ticket Number:

If I run it a few more times the 465 port stays but the LKM goes away.

cPanel.net Support Ticket Number:

**Website Rob** · 07-03-2003 03:30 PM

Which version are you running? I get your basic 'all is well' output.

# $Id: chkrootkit, v 0.39 2003/01/30

Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog

The 'bindshell' msg. can be ignored. Something to do with the Script itself or the way Cpanel is setup -- not sure which.

cPanel.net Support Ticket Number:

**rpmws** · 07-03-2003 03:33 PM

Originally posted by Website Rob
Which version are you running? I get your basic 'all is well' output.

# $Id: chkrootkit, v 0.39 2003/01/30

Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog

The 'bindshell' msg. can be ignored. Something to do with the Script itself or the way Cpanel is setup -- not sure which.

cPanel.net Support Ticket Number:

.41

for a few days I didn't see the nbindshell listed. then it came back last night.

cPanel.net Support Ticket Number:

**cass** · 07-03-2003 04:54 PM

Read :
http://www.foxnews.com/story/0,2933,90957,00.html

Government Warns of Mass Hacker Attacks...

hehe

cPanel.net Support Ticket Number:

**shaun** · 07-03-2003 04:59 PM

Checking `bindshell'... INFECTED (PORTS: 465)

Ignore that, it's picking up portsentry. Thats a false/positive

cPanel.net Support Ticket Number:

**Website Rob** · 07-03-2003 05:10 PM

Originally posted by shaun
Checking `bindshell'... INFECTED (PORTS: 465)

Ignore that, it's picking up portsentry. Thats a false/positive

cPanel.net Support Ticket Number:

Is that like, when a girl says 'Yes' and she really means 'Maybe'?

cPanel.net Support Ticket Number:

**MikeMc** · 07-04-2003 12:24 PM

So, guys what do you think...we can live with some(that) warning(s) or we should spend time and money to get rid of them?

cPanel.net Support Ticket Number:

**MikeMc** · 07-06-2003 05:11 PM

By accident I found out that the scalper warning is related with portsentry (or a specific configuration of it) -> at least in my case. And this on a new cpanel machine. With portsentry off..I get no warnings.

cPanel.net Support Ticket Number:

**Website Rob** · 07-06-2003 06:54 PM

After doing the following upgrades:

RedHat 7.3
WHM 7.1.0 cPanel 7.1.5-E37
chkrootkit 4.1

and portsentry being turned on, you can see that following is a normal output, although edited for brevity.

Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `w55808'... not infected
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog

And is not much different from post above, when I was running WHM 6.4.x and chkrootkit v0.39.

Not sure why yours would show different unless you're running free BSD or perhaps something to do with your Server setup.

cPanel.net Support Ticket Number:

LinkBack

Thread Tools

Scalper Worm

Gumblar Worm

Possible Slapper Worm?

Worm.SomeFool.P

Slapper worm attack!!!

support@microsoft.com is a Worm