[cobalt-users] raq4s still vulnerable to slapper worm??

[Ursula <ursulasays@xxxxxxxxxxxx>]

this morning I get my usual chkrootkit report, which
tells me there's a possible slapper worm installed.

so I have a poke around, the error log has lines such
as this:


[Sat Aug  2 19:38:57 2003] [error] OpenSSL:
error:140943E8:SSL
routines:SSL3_READ_BYTES:reason(1000)
[Sat Aug  2 19:39:13 2003] [error] mod_ssl: SSL
handshake failed (server www.domain.com.au:443, client
211.28.48.235) (OpenSSL library error follows)
[Sat Aug  2 19:39:13 2003] [error] OpenSSL:
error:140943E8:SSL
routines:SSL3_READ_BYTES:reason(1000)
[Sat Aug  2 19:39:55 2003] [error] mod_ssl: SSL
handshake failed (server www.domain.com.au:443, client
211.28.48.235) (OpenSSL library error follows)

and netstat -an gives me this
tcp        0      0 66.70.78.190:80        
132.234.126.119:1410    ESTABLISHED
tcp        0      0 66.70.78.190:80        
132.234.126.119:1411    ESTABLISHED

Although I can't find any of the slapper files
installed - fheck runs every 15 minutes and reported
no changes, apart from the usual stuff in the tmp dir,
it certainly looks like the slapper worm.

this is a 100% patched raq4, apache still reports 
mod_ssl/2.8.4 OpenSSL/0.9.6b (I took a look at all my
raq4s, they all report the same thing and are all
fully patched). CERT advisories say anything less than
0.9.6d is vulnerable.

Am I just panicking needlessly? (I sure hope so!) or
is every last raq4 still open to this old worm?

what are people doing to get around it? how to get rid
of it and clean up?



=====

--

Ursula


http://personals.yahoo.com.au - Yahoo! Personals
-  New people, new possibilities! Try Yahoo! Personals, FREE for a limited period!