Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

UNIX SERVERE rastura virus...

[es] :: Linux :: UNIX SERVERE rastura virus...

[ Pregleda: 3631 | Odgovora: 3 ] > FB > Twit

Postavi temu Odgovori

Autor

Pretraga teme: Traži
Markiranje Štampanje RSS

01011011

Član broj: 561
Poruke: 2341
205.215.116.*



+2 Profil

icon UNIX SERVERE rastura virus...19.09.2002. u 22:26 - pre 262 meseci
Jel iko saznao nesto vise o takozvanom Linux/Slapper-A virusu?
 
Odgovor na temu

BORG
Aleksandar (Sasa) U.
*NIX System/Network Administrator
BL-RS

Član broj: 200
Poruke: 916
*.blic.net

ICQ: 46124351
Sajt: bitches.kicks-ass.net


Profil

icon Re: UNIX SERVERE rastura virus...19.09.2002. u 23:01 - pre 262 meseci
Linux/Slapper-A is a worm which tries to exploit a buffer overflow vulnerability in the OpenSSL component of SSL-enabled Apache web servers. Once active, the worm can be used as a backdoor to start up a range of denial-of-service attacks.

Linux/Slapper-A spreads between systems via TCP port 443 (SSL). Before connecting to this port, the worm connects to TCP port 80 (HTTP) in order to try to customise its attack for specific Apache versions. If a web server other than Apache (or which identifies itself as other than Apache) is found, the worm will not attempt to infect.

The worm looks for:

Red Hat running Apache 1.3.6, 1.3.9, 1.3.12, 1.3.19, 1.3.20, 1.3.22, 1.3.23 and 1.3.26.

SuSE running Apache 1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23.

Mandrake running Apache 1.3.14, 1.3.19, 1.3.20, 1.3.23.

Slackware running Apache 1.3.26.

Debian running Apache 1.3.26.

Gentoo running any version of Apache.

If the system distribution or Apache version cannot be determined, the worm assumes Red Hat running Apache 1.3.23.

Linux/Slapper-A connects via TCP port 443 (SSL) and tries to launch a shell (/bin/sh) on the remote system by exploiting a buffer overflow. The flaw in OpenSSL which allows Linux/Slapper-A to spread was announced and fixed in an OpenSSL Security Advisory of 30 July 2002.

If Linux/Slapper-A successfully breaks into its victim, the worm injects a shell script into the remote shell it has launched. The shell script contains a uuencoded copy of the worm's own source code. The script decodes this source code into the file /tmp/.bugtraq.c, compiles it using gcc into the executable file / tmp/.bugtraq and then executes it. A daemon process called .bugtraq will be visible on infected computers.

Note that the Linux/Slapper-A worm depends on the presence of the gcc compiler on victim computers, and also requires that the compiler be executable by the Apache user. Sophos recommends removing, or limiting access to, the compiler on production web servers.

Once active, Linux/Slapper-A opens up a backdoor which can be contacted via UDP port 2002. The backdoor is intended to allow a range of attacks to be initiated from infected computers, such as: executing arbitrary commands; creating TCP floods; creating DNS floods and searching for email addresses on disk.

Recovery

Search for and kill any running processes named:
.bugtraq

Delete these files, if they exist:
/tmp/.bugtraq
/tmp/.bugtraq.c
/tmp/.uubugtraq

http://www.sophos.com/virusinfo/analyses/linuxslappera.html

With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.

--Peter J. Schoenster
 
Odgovor na temu

BORG
Aleksandar (Sasa) U.
*NIX System/Network Administrator
BL-RS

Član broj: 200
Poruke: 916
*.blic.net

ICQ: 46124351
Sajt: bitches.kicks-ass.net


Profil

icon Re: UNIX SERVERE rastura virus...19.09.2002. u 23:17 - pre 262 meseci
Note that the Linux/Slapper-A worm depends on the presence of the gcc compiler on victim computers, and also requires that the compiler be executable by the Apache user. Sophos recommends removing, or limiting access to, the compiler on production web servers.Note that the Linux/Slapper-A worm depends on the presence of the gcc compiler on victim computers, and also requires that the compiler be executable by the Apache user. Sophos recommends removing, or limiting access to, the compiler on production web servers.

----------------

Nista strasno.....

btw,da nisi malo `pretjerao` sa subjektom teme ? L;-]

`UNIX SERVERE rastura virus...` -- i ne rastura bas L;-]

With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.

--Peter J. Schoenster
 
Odgovor na temu

B o j a n
eCTRL
EU

Član broj: 1178
Poruke: 2925
*.verat.net

Jabber: bc@default.co.yu
Sajt: default.co.yu/~bc


+1 Profil

icon Re: UNIX SERVERE rastura virus...20.09.2002. u 09:09 - pre 262 meseci
Taj worm kruzi jos unazad mesecima.
ps: serveri koji imaju promenjen signature iz Apache 1.3.26/mod_ssl x.xx U nesto Patched-ApAcHe-m4d-0.001/mod_esesel x.xx su potpuno imuni, jer worm otkriva zrtve citajuci HTTP header-e koje prima od target masine.

ps: najnoviji openssl je uvek najbezbedniji.

"It's okay, I'm just admiring to the shape of your skull!" -- Dr. Gonzo
 
Odgovor na temu

[es] :: Linux :: UNIX SERVERE rastura virus...

[ Pregleda: 3631 | Odgovora: 3 ] > FB > Twit

Postavi temu Odgovori

Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.