Possible Slapper Warm found

cretu

Well-Known Member
Jul 21, 2002
208
0
166
Hi there,

After running today chkrootkit I have found in reports:
"Checking `slapper'... Warning: Possible Slapper Worm installed "

I have checked for the worm files within /tmp - did not find any... Also, I have followed remowal instruction provided here: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21184.. Also, it did not help... Chrootkit still reports Slapper.

I have also rebuild Apache and restarted box - did not help.

Please help - any input will be appritiated.

Regards,
cretu
 

internethosting

Well-Known Member
Aug 18, 2003
68
0
156
I am no expert, but I will try to help. I have had this a couple of times.

First, make sure you have the latest chkrootkit (0.43)

Then run it, 2, 3, maybe 4 times in a row.

Usually, this will make the warning go away.

Then, run ./scripts/findtrojans

This will make sure there was no trojans got installed with slapper.

(This program will list several "posssible" trojans, but look for any suspecious files, there is topics in this forum that will tell you what to look for)

I'm sure some of the pro's have some more ideas, but this has worked for me in the past.

Also, make sure you patch your box to prevent this from happening again.

Tim




Originally posted by cretu
Hi there,

After running today chkrootkit I have found in reports:
"Checking `slapper'... Warning: Possible Slapper Worm installed "

I have checked for the worm files within /tmp - did not find any... Also, I have followed remowal instruction provided here: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21184.. Also, it did not help... Chrootkit still reports Slapper.

I have also rebuild Apache and restarted box - did not help.

Please help - any input will be appritiated.

Regards,
cretu
 

cretu

Well-Known Member
Jul 21, 2002
208
0
166
Hi there,

I have managed to find out account of user who installed this worm so I have terminated him.

However, I have found slapper again, on another box and also found the binary for it on account of user who is very trustwhorthy. Anyway, I have terminated him as well.

Question: I have secured /tmp directory on each box making it non-executable, yet, still I could found out that last slapper was running from /tmp as "http" (file was actually called that). Also, I have php open_basedir Protection anabled...
What other measure should I take against such attacks and possible worms?

Regards,
Cretu
 

webolocity

Well-Known Member
Jul 22, 2003
78
0
156
Slapper

How did you find the binary? How did you make sure the system was clean?

Thanks
 

webolocity

Well-Known Member
Jul 22, 2003
78
0
156
Slapper

How did you find the binary? How did you make sure the system was clean?

Thanks