Linux worm spreading

Printable View

September 14th, 2002, 03:15 PM
problemchild

Linux worm spreading

Ok, guys.... time to get patching. A new worm is making the rounds that targets Linux servers running vulnerable versions of Apache and OpenSSL. The worm sends an invalid GET request to identify Apache servers, and then tries to connect on port 443 to a execute shell code exploit on the host machine. The infected host then listens on UDP port 2002. To see if you have already been infected, look for /tmp/.bugtraq with ls -a.

Fix: Update your OpenSSL to 0.9.6g and update Apache to 1.3.26.

http://securityresponse.symantec.com...pper.worm.html

[EDIT] Shameless I-told-you-so: If you have followed my advice on Linux partitioning, .bugtraq won't be able to execute on your system since you have /tmp mounted with the noexec option. :D
September 14th, 2002, 04:10 PM
Phat_Penguin

problemchild,

I saw this earlier in the Bugtraq mailing list, checked and am clean ) - but I have started to see a number of https connection attempts on the firewall logs mostly from Asia.

Thanks for the info.

PP
September 14th, 2002, 09:27 PM
digitalgadfly

This is a log file from a box containing the worm, I thought some might find it useful. I received this from a debian mailing list.

Is this log evidence of our worm?

[Fri Sep 13 23:46:29 2002] [error] mod_ssl: SSL handshake failed (server www.zionlth.org:443, client 195.34.113.130) (OpenSSL library error follows)
[Fri Sep 13 23:46:30 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
[Sat Sep 14 04:11:02 2002] [error] mod_ssl: SSL handshake failed (server www.zionlth.org:443, client 209.217.161.130) (OpenSSL library error follows)
[Sat Sep 14 04:11:02 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
September 14th, 2002, 11:14 PM
problemchild

Quote:

I have started to see a number of https connection attempts on the firewall logs mostly from Asia.

I'm forced to agree with Tedob1 that we really get nothing useful from that region, and I'm thinking about taking his advice on dropping all packets from that area. I hate to shut out a whole region like that, but I'm beginning to think the risk outweighs the sheer rudeness of it.
September 15th, 2002, 05:30 AM
digitalgadfly

For any of those interested I have stumbled across the source code for the old worm and the new worm.

Old Worm- http://dammit.lt/apache-worm/apache-worm.c
The old worm used UDP port 2001, and showed up shortly after the original OpenSSL vulnerability in late July.

New Worm- http://217.24.0.78/bugtraq.c.txt
It communicates via UDP port 2002, though I'm not actually sure what data gets sent on that port

enjoy :)
September 16th, 2002, 01:16 AM
problemchild

It seems that Symantec has issued an updated advisory which goes into much more detail than the original and suggests some possible fixes if patching isn't possible for whatever reason.

The number of infections is now estimated at 3,500 since Friday. Since Apache servers with OpenSSL enabled are estimated to account for roughly 10% of the Apache servers out there, 3,500 of those machines remaining unpatched after months of advisories doesn't look good for the overall state of Linux administration out there. :(

http://securityresponse.symantec.com...002.09.13.html