The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Linux SLAPPER Worm Virus

Discussion in 'General Discussion' started by Drake, Sep 17, 2002.

  1. Drake

    Drake Well-Known Member

    Nov 9, 2001
    Likes Received:
    Trophy Points:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Hello All,

    I have just received a security from regarding Linux Slapper Worm Virus, targeting Linux boxes, ssl port.

    Below, is a copy of the notice I had received.

    Nick, and staff... Please let us know what you think about this.

    Drake P.
    Sent: Mon Sep 16 15:38:32 2002
    Subject: LiveSecurity | Virus Alert: Slapper targets Linux Apache servers



    September 16, 2002

    Some URLs in the article below may wrap to a second line. When that
    occurs, clicking on them does not work. To follow a multi-line link,
    please copy and paste its parts into your browser's address window
    to reassemble it into a working URL. For an easier-to-read HTML
    version of this article with live links, go to:



    Discovered September 13, Slapper is a new Linux-based worm that
    takes advantage of past OpenSSL vulnerabilities described in our
    July 30 Information Alert
    Slapper is not your normal e-mail-based worm. Rather, it targets
    Linux Apache servers, the most popular Web servers on the Internet,
    and creates what could best be described as a peer-to-peer network
    of zombie servers that the virus author can use in Distributed
    Denial of Service (DDoS) attacks.

    Slapper had already infected over 3500 servers when Symantec posted
    this advisory:
    A report from F-Secure
    updated Monday morning stated 11,200 systems had been infected,
    indicating that the worm is spreading rapidly. An advisory
    from Internet Security Systems (ISS) reports that the DDoS features
    of the worm have already been used to attack and disable high-
    profile targets.

    Slapper begins its attack looking for Web servers by scanning ranges
    of IP addresses on TCP port 80. When it finds a Web server, the worm
    sends a purposely invalid HTTP GET request, hoping that the Web
    server will reply with an error message. The error message tells
    Slapper whether or not it has found a susceptible Apache server.

    When Slapper finds a vulnerable server, it then sends a specially-
    crafted, overly-long string to the server on the SSL port (TCP 443).
    If you have not patched your server for the OpenSSL vulnerability,
    Slapper gains root access using this exploit. Then it copies itself
    to your machine as source code (/tmp/.bugtraq.c), and compiles
    itself locally (/tmp/.bugtraq). Uploading itself as source rather
    than as an executable helps the worm ensure stability regardless of
    which flavor of Linux it encounters. Once Slapper has infected your
    server, it starts scanning for more vulnerable servers on the
    Internet and repeats the infection process.

    Besides spreading itself, Slapper also installs something like a
    peer-to-peer service on your server, listening on UDP port 2002. The
    virus author can send commands to this port to do the following:

    * Execute code on your server
    * Execute both TCP and TCP IPv6 flood attacks
    * Execute UDP flood attacks
    * Execute DNS flood attacks
    * Search your machine for all its stored e-mail addresses
    * Send messages to other zombie machines in Slapper's peer-to-
    peer network

    In short, once Slapper has infected your machine the virus author
    gains total control and can use your server in DDoS attacks.


    This is not an email-borne worm. Slapper only attacks Linux-based,
    Apache Web servers. If you use a Linux Apache server and followed
    the advice in our July 30 Information Alert
    you're not vulnerable to Slapper infection. Otherwise, upgrade to
    the latest version of OpenSSL immediately.

    Administrators can also mitigate the chance of infection by
    disabling Apache's SSL features if not used. Refer to the directions
    in the &Recommendations& section of ISS's advisory for details

    Finally, most anti-virus vendors have released engine updates to
    detect Slapper. Administrators should contact their anti-virus
    vendor for the latest virus definitions.

    -- Suggestions for SOHO and Firebox users

    Slapper infects using normal Web and Secure Web traffic. If you have
    a secure Web server, you must allow this traffic for clients to
    access your Web site. Therefore, the solutions above are your
    primary recourse. However, both the SOHO and Firebox deny incoming
    UDP port 2002 by default. As long as you have not added a custom
    service allowing this port, an attacker cannot use your Web server
    in a DDoS attack based on a Slapper infection.

    -- Suggestions for ServerLock and AppsLock/Web users

    Currently, Slapper only works on Linux machines, and thus would not
    affect servers protected by ServerLock. However, Slapper is a
    variant of a previous worm and, like most Linux applications, is
    easily modified. If a variant of Slapper emerges which works on
    Solaris or Windows machines, we will alert you. In any case,
    ServerLock prevents your critical files from being damaged by
    Slapper or any other worm. ##

    Credits: this alert researched and written by Corey Nachreiner.
  2. itf

    itf Well-Known Member

    May 9, 2002
    Likes Received:
    Trophy Points:
    [b:e154550f93]Attention: You are not vulnerable if..[/b:e154550f93]

    you use these builds

    Red Hat 6.2 : OpenSSL 0.9.5a-29
    Red Hat 7 : OpenSSL 0.9.6-13
    Red Hat 7.1 : OpenSSL 0.9.6-13
    Red Hat 7.2 : OpenSSL 0.9.6b-28
    Red Hat 7.3 : OpenSSL 0.9.6b-28

    Don't be confused, Red Hat has applied security patches to above releases and they are not vulnerable like OpenSSL 0.9.6e

    The security issues which were fixed are:
    (and all previous security issues)

    Red Hat hasn't provided OpenSSL 0.9.6e RPM package as of yet (date of this post)

    I used that worm and tried to exploit (in a test environment) also tried DoS attack but it is impossible if you have those builds.
  3. sketchified

    sketchified Active Member

    Sep 23, 2001
    Likes Received:
    Trophy Points:
    itf, where did you get your information? I'm not questioning it, just curious as I haven't been able to confirm this. Thanks.
  4. haze

    haze Well-Known Member

    Dec 21, 2001
    Likes Received:
    Trophy Points:
    Nick already confirmed in another thread that it had been taken care of. If you use the use upcp command or have updates anabled with with all the update features ticked manuall or auto then you are fine.
  5. itf

    itf Well-Known Member

    May 9, 2002
    Likes Received:
    Trophy Points:
    [quote:acab64d24b][i:acab64d24b]Originally posted by sketchified[/i:acab64d24b]

    itf, where did you get your information? I'm not questioning it, just curious as I haven't been able to confirm this. Thanks.[/quote:acab64d24b]
    It is an irrelevant question to Cpanel, but I can confirm like this issues due to my job (click on Profile button please)

    and about that security alert if you have security updates enabled in WHM you shouldn't have to worry about this.

    read this thread for more information (I discussed there):

Share This Page