Drake

Well-Known Member
Nov 9, 2001
83
0
306
New Jersey
cPanel Access Level
DataCenter Provider
Hello All,

I have just received a security from watchguard.com regarding Linux Slapper Worm Virus, targeting Linux boxes, ssl port.

Below, is a copy of the notice I had received.

Nick, and staff... Please let us know what you think about this.

Thanks,
Drake P.
duraserver.net
*******
Sent: Mon Sep 16 15:38:32 2002
Subject: LiveSecurity | Virus Alert: Slapper targets Linux Apache servers

VIRUS ALERT

SLAPPER:
LINUX WORM SLAPS APACHE WEB ADMINS

DATE:
September 16, 2002


Some URLs in the article below may wrap to a second line. When that
occurs, clicking on them does not work. To follow a multi-line link,
please copy and paste its parts into your browser's address window
to reassemble it into a working URL. For an easier-to-read HTML
version of this article with live links, go to:
https://www3.watchguard.com/archive/showhtml.asp?pack=135184

---------------------------------------------------------------

ABOUT THE VIRUS

Discovered September 13, Slapper is a new Linux-based worm that
takes advantage of past OpenSSL vulnerabilities described in our
July 30 Information Alert
&https://www3.watchguard.com/archive/showhtml.asp?pack=135151&.
Slapper is not your normal e-mail-based worm. Rather, it targets
Linux Apache servers, the most popular Web servers on the Internet,
and creates what could best be described as a peer-to-peer network
of zombie servers that the virus author can use in Distributed
Denial of Service (DDoS) attacks.

Slapper had already infected over 3500 servers when Symantec posted
this advisory:
&http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm
.html&.
A report from F-Secure
&http://www.internetwk.com/security02/INW20020916S0001&
updated Monday morning stated 11,200 systems had been infected,
indicating that the worm is spreading rapidly. An advisory
&http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21130&
from Internet Security Systems (ISS) reports that the DDoS features
of the worm have already been used to attack and disable high-
profile targets.

Slapper begins its attack looking for Web servers by scanning ranges
of IP addresses on TCP port 80. When it finds a Web server, the worm
sends a purposely invalid HTTP GET request, hoping that the Web
server will reply with an error message. The error message tells
Slapper whether or not it has found a susceptible Apache server.

When Slapper finds a vulnerable server, it then sends a specially-
crafted, overly-long string to the server on the SSL port (TCP 443).
If you have not patched your server for the OpenSSL vulnerability,
Slapper gains root access using this exploit. Then it copies itself
to your machine as source code (/tmp/.bugtraq.c), and compiles
itself locally (/tmp/.bugtraq). Uploading itself as source rather
than as an executable helps the worm ensure stability regardless of
which flavor of Linux it encounters. Once Slapper has infected your
server, it starts scanning for more vulnerable servers on the
Internet and repeats the infection process.

Besides spreading itself, Slapper also installs something like a
peer-to-peer service on your server, listening on UDP port 2002. The
virus author can send commands to this port to do the following:

* Execute code on your server
* Execute both TCP and TCP IPv6 flood attacks
* Execute UDP flood attacks
* Execute DNS flood attacks
* Search your machine for all its stored e-mail addresses
* Send messages to other zombie machines in Slapper's peer-to-
peer network

In short, once Slapper has infected your machine the virus author
gains total control and can use your server in DDoS attacks.


WHAT YOU CAN DO

This is not an email-borne worm. Slapper only attacks Linux-based,
Apache Web servers. If you use a Linux Apache server and followed
the advice in our July 30 Information Alert
&https://www3.watchguard.com/archive/showhtml.asp?pack=135151&,
you're not vulnerable to Slapper infection. Otherwise, upgrade to
the latest version of OpenSSL immediately.

Administrators can also mitigate the chance of infection by
disabling Apache's SSL features if not used. Refer to the directions
in the &Recommendations& section of ISS's advisory for details
&http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21130&..

Finally, most anti-virus vendors have released engine updates to
detect Slapper. Administrators should contact their anti-virus
vendor for the latest virus definitions.


-- Suggestions for SOHO and Firebox users

Slapper infects using normal Web and Secure Web traffic. If you have
a secure Web server, you must allow this traffic for clients to
access your Web site. Therefore, the solutions above are your
primary recourse. However, both the SOHO and Firebox deny incoming
UDP port 2002 by default. As long as you have not added a custom
service allowing this port, an attacker cannot use your Web server
in a DDoS attack based on a Slapper infection.


-- Suggestions for ServerLock and AppsLock/Web users

Currently, Slapper only works on Linux machines, and thus would not
affect servers protected by ServerLock. However, Slapper is a
variant of a previous worm and, like most Linux applications, is
easily modified. If a variant of Slapper emerges which works on
Solaris or Windows machines, we will alert you. In any case,
ServerLock prevents your critical files from being damaged by
Slapper or any other worm. ##


Credits: this alert researched and written by Corey Nachreiner.
 

itf

Well-Known Member
May 9, 2002
624
0
316
[b:e154550f93]Attention: You are not vulnerable if..[/b:e154550f93]

you use these builds

Red Hat 6.2 : OpenSSL 0.9.5a-29
Red Hat 7 : OpenSSL 0.9.6-13
Red Hat 7.1 : OpenSSL 0.9.6-13
Red Hat 7.2 : OpenSSL 0.9.6b-28
Red Hat 7.3 : OpenSSL 0.9.6b-28

Don't be confused, Red Hat has applied security patches to above releases and they are not vulnerable like OpenSSL 0.9.6e

The security issues which were fixed are:
CAN-2002-0655
CAN-2002-0656
CAN-2002-0657
CAN-2002-0659
(and all previous security issues)

Red Hat hasn't provided OpenSSL 0.9.6e RPM package as of yet (date of this post)

I used that worm and tried to exploit (in a test environment) also tried DoS attack but it is impossible if you have those builds.
 

sketchified

Active Member
Sep 23, 2001
27
0
301
itf, where did you get your information? I'm not questioning it, just curious as I haven't been able to confirm this. Thanks.
 

haze

Well-Known Member
Dec 21, 2001
1,550
3
318
Nick already confirmed in another thread that it had been taken care of. If you use the use upcp command or have updates anabled with with all the update features ticked manuall or auto then you are fine.
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:acab64d24b][i:acab64d24b]Originally posted by sketchified[/i:acab64d24b]

itf, where did you get your information? I'm not questioning it, just curious as I haven't been able to confirm this. Thanks.[/quote:acab64d24b]
It is an irrelevant question to Cpanel, but I can confirm like this issues due to my job (click on Profile button please)

and about that security alert if you have security updates enabled in WHM you shouldn't have to worry about this.

read this thread for more information (I discussed there):

http://forums.cpanel.net/read.php?TID=4602