[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] raq4s still vulnerable to slapper worm??
- Subject: Re: [cobalt-users] raq4s still vulnerable to slapper worm??
- From: Ursula <ursulasays@xxxxxxxxxxxx>
- Date: Sun Aug 3 18:58:00 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
--- Richard Siddall <cobalt@xxxxxxxxxxx> wrote: >
Ursula wrote:
> > this morning I get my usual chkrootkit report,
> which
> > tells me there's a possible slapper worm
> installed.
> >
> > Although I can't find any of the slapper files
> > installed - fheck runs every 15 minutes and
> reported
> > no changes, apart from the usual stuff in the tmp
> dir,
> > it certainly looks like the slapper worm.
> >
> [snip]
> > Am I just panicking needlessly? (I sure hope so!)
> or
> > is every last raq4 still open to this old worm?
> >
> > what are people doing to get around it? how to get
> rid
> > of it and clean up?
> >
>
> In the case of slapper, you'll get a warning if
> there's a process bound
> to all IP addresses on ports 2002, 4156, 1978, 1812
> or 2015.
>
> This can happen if you're running a RADIUS server
> that's not bound to a
> specific IP address, or one of the normal servers
> uses one of those
> ports at random.
>
> Try restarting some of the servers
> (/etc/rc.d/init.d/<whatever> restart)
> and re-run chkrootkit to see if the warning goes
> away.
>
the report didn't disappear until I removed the
CGItemp files from the tmp directory.
I'm still concerned by the old version of openSSL and
whether these raq4s are still vulnerable
=====
--
Ursula
http://personals.yahoo.com.au - Yahoo! Personals
- New people, new possibilities! Try Yahoo! Personals, FREE for a limited period!