The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible Slapper Warm found

Discussion in 'General Discussion' started by cretu, Jan 2, 2004.

  1. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Hi there,

    After running today chkrootkit I have found in reports:
    "Checking `slapper'... Warning: Possible Slapper Worm installed "

    I have checked for the worm files within /tmp - did not find any... Also, I have followed remowal instruction provided here: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21184.. Also, it did not help... Chrootkit still reports Slapper.

    I have also rebuild Apache and restarted box - did not help.

    Please help - any input will be appritiated.

    Regards,
    cretu
     
  2. internethosting

    internethosting Well-Known Member

    Joined:
    Aug 18, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    I am no expert, but I will try to help. I have had this a couple of times.

    First, make sure you have the latest chkrootkit (0.43)

    Then run it, 2, 3, maybe 4 times in a row.

    Usually, this will make the warning go away.

    Then, run ./scripts/findtrojans

    This will make sure there was no trojans got installed with slapper.

    (This program will list several "posssible" trojans, but look for any suspecious files, there is topics in this forum that will tell you what to look for)

    I'm sure some of the pro's have some more ideas, but this has worked for me in the past.

    Also, make sure you patch your box to prevent this from happening again.

    Tim




     
  3. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Hi there,

    I have managed to find out account of user who installed this worm so I have terminated him.

    However, I have found slapper again, on another box and also found the binary for it on account of user who is very trustwhorthy. Anyway, I have terminated him as well.

    Question: I have secured /tmp directory on each box making it non-executable, yet, still I could found out that last slapper was running from /tmp as "http" (file was actually called that). Also, I have php open_basedir Protection anabled...
    What other measure should I take against such attacks and possible worms?

    Regards,
    Cretu
     
  4. webolocity

    webolocity Well-Known Member

    Joined:
    Jul 22, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Slapper

    How did you find the binary? How did you make sure the system was clean?

    Thanks
     
  5. webolocity

    webolocity Well-Known Member

    Joined:
    Jul 22, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Slapper

    How did you find the binary? How did you make sure the system was clean?

    Thanks
     
Loading...

Share This Page