[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] raq4s still vulnerable to slapper worm??
- Subject: Re: [cobalt-users] raq4s still vulnerable to slapper worm??
- From: "PageKeeper Service" <host@xxxxxxxxxxxxxxxxxxxxx>
- Date: Sun Aug 3 21:10:00 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
----- Original Message -----
Subject: Re: [cobalt-users] raq4s still vulnerable to slapper worm??
> --- Richard Siddall <cobalt@xxxxxxxxxxx> wrote: >
> Ursula wrote:
> > > this morning I get my usual chkrootkit report,
> > which
> > > tells me there's a possible slapper worm
> > installed.
> > >
> > > Although I can't find any of the slapper files
> > > installed - fheck runs every 15 minutes and
> > reported
> > > no changes, apart from the usual stuff in the tmp
> > dir,
> > > it certainly looks like the slapper worm.
> > >
> > [snip]
> > > Am I just panicking needlessly? (I sure hope so!)
> > or
> > > is every last raq4 still open to this old worm?
> > >
> > > what are people doing to get around it? how to get
> > rid
> > > of it and clean up?
> > >
> >
>
> > In the case of slapper, you'll get a warning if
> > there's a process bound
> > to all IP addresses on ports 2002, 4156, 1978, 1812
> > or 2015.
> >
> > This can happen if you're running a RADIUS server
> > that's not bound to a
> > specific IP address, or one of the normal servers
> > uses one of those
> > ports at random.
> >
> > Try restarting some of the servers
> > (/etc/rc.d/init.d/<whatever> restart)
> > and re-run chkrootkit to see if the warning goes
> > away.
> >
>
> the report didn't disappear until I removed the
> CGItemp files from the tmp directory.
>
> I'm still concerned by the old version of openSSL and
> whether these raq4s are still vulnerable
>
>
>
> =====
>
> --
>
> Ursula
I've not seen a valid answer to that question myself...
Not sure appliance peddlers want you to really know...lol
But I'm seeing the same things your seeing. In the logs and on the file
system.
slapper worm fact or fiction?
Your host.deny and .bash_history files turn into a misty blue vapor.
I've also 'heard' that the slapper worm only works on 'intel' powered
machines....
It needs gcc working to worm.... or has to get a copy from a remote site.
Hard telling not knowing though..
cheep seat notes..
Admins might change the permission of gcc to prevent problems. (might slow
the worm down) lol
Sometimes at the end of the month parsing the logs create some
CGItemp<pid> files in /home/tmp and after 4:02 am daily. (causing havoc in
the tmp dir)
I would guess thats the best time to deploy some damage, since tmp is full
of brand new files every day at that time.
Leftover temps. from poorly coded Upload type scripts trying to upload the
same copy of something.
(making many temps could be a hidden problem)
Makes you wonder..What could be hidden in them crusty 200MB CGItemps...?
But no trace of the *.bugtrac yet, but I do see lots of trolling on the ssl
port.
Seems the last week or so I have seen more of these skid marks than i'd like
to.
[Sat Jul 26 12:12:10 2003] [error] mod_ssl: SSL handshake failed (server
pagekeeperservice.com:443, client 66.101.15.10) (OpenSSL library error
follows)
[Sat Jul 26 12:12:10 2003] [error] OpenSSL: error:1406B458:SSL
routines:GET_CLIENT_MASTER_KEY:key arg too long
[Sat Aug 2 16:32:23 2003] [error] mod_ssl: SSL handshake failed (server
pagekeeperservice.com:443, client 195.166.96.250) (OpenSSL library error
follows)
[Sat Aug 2 16:32:23 2003] [error] OpenSSL: error:1406B458:SSL
routines:GET_CLIENT_MASTER_KEY:key arg too long
my <.02 cents worth.
David
PageKeeper Service
1512 Deborah Road #102
Rio Rancho, New Mexico 87124 US
505-892-8723
http://www.pagekeeperservice.com