Results 1 to 6 of 6

Thread: Linux worm spreading

  1. #1
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551

    Linux worm spreading

    Ok, guys.... time to get patching. A new worm is making the rounds that targets Linux servers running vulnerable versions of Apache and OpenSSL. The worm sends an invalid GET request to identify Apache servers, and then tries to connect on port 443 to a execute shell code exploit on the host machine. The infected host then listens on UDP port 2002. To see if you have already been infected, look for /tmp/.bugtraq with ls -a.

    Fix: Update your OpenSSL to 0.9.6g and update Apache to 1.3.26.

    http://securityresponse.symantec.com...pper.worm.html

    [EDIT] Shameless I-told-you-so: If you have followed my advice on Linux partitioning, .bugtraq won't be able to execute on your system since you have /tmp mounted with the noexec option.
    Do what you want with the girl, but leave me alone!

  2. #2
    Senior Member
    Join Date
    May 2002
    Posts
    450
    problemchild,

    I saw this earlier in the Bugtraq mailing list, checked and am clean ) - but I have started to see a number of https connection attempts on the firewall logs mostly from Asia.

    Thanks for the info.

    PP

  3. #3
    Senior Member
    Join Date
    Aug 2002
    Posts
    115
    This is a log file from a box containing the worm, I thought some might find it useful. I received this from a debian mailing list.

    Is this log evidence of our worm?

    [Fri Sep 13 23:46:29 2002] [error] mod_ssl: SSL handshake failed (server www.zionlth.org:443, client 195.34.113.130) (OpenSSL library error follows)
    [Fri Sep 13 23:46:30 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
    [Sat Sep 14 04:11:02 2002] [error] mod_ssl: SSL handshake failed (server www.zionlth.org:443, client 209.217.161.130) (OpenSSL library error follows)
    [Sat Sep 14 04:11:02 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
    Civilization. The death of dreams.

  4. #4
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    I have started to see a number of https connection attempts on the firewall logs mostly from Asia.
    I'm forced to agree with Tedob1 that we really get nothing useful from that region, and I'm thinking about taking his advice on dropping all packets from that area. I hate to shut out a whole region like that, but I'm beginning to think the risk outweighs the sheer rudeness of it.
    Do what you want with the girl, but leave me alone!

  5. #5
    Senior Member
    Join Date
    Aug 2002
    Posts
    115
    For any of those interested I have stumbled across the source code for the old worm and the new worm.

    Old Worm- http://dammit.lt/apache-worm/apache-worm.c
    The old worm used UDP port 2001, and showed up shortly after the original OpenSSL vulnerability in late July.

    New Worm- http://217.24.0.78/bugtraq.c.txt
    It communicates via UDP port 2002, though I'm not actually sure what data gets sent on that port


    enjoy
    Civilization. The death of dreams.

  6. #6
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    It seems that Symantec has issued an updated advisory which goes into much more detail than the original and suggests some possible fixes if patching isn't possible for whatever reason.

    The number of infections is now estimated at 3,500 since Friday. Since Apache servers with OpenSSL enabled are estimated to account for roughly 10% of the Apache servers out there, 3,500 of those machines remaining unpatched after months of advisories doesn't look good for the overall state of Linux administration out there.

    http://securityresponse.symantec.com...002.09.13.html
    Do what you want with the girl, but leave me alone!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •