Slapper.C has a new function that sends an email to cinik_worm@yahoo.com
containing the IP address, CPU info, and memory info of the infected
host.

Filenames and Process Names

/tmp/.cinik - Slapper.C worm binary
/tmp/.cinik.c – Slapper.C worm source code
/tmp/.cinik.uu – Slapper.C worm source code encoded with the "uuencode"
tool
/tmp/.cinik.go – Slapper.C shell script

1. Locate and kill the worm process RUN AS ROOT.

netstat -anp | grep 4156 | grep -i UDP
pstree -p
kill -9

2. Locate and kill the backdoor process.

ps -aux | grep update | grep apache
pstree -p
kill -9

To clean a Slapper.C infection manually, refer to the following steps below:

1. Kill the worm process.

killall -9 .cinik

2. Remove all instances of the worm, and verify.

rm -rf /tmp/.cinik /tmp/.cinik.c /tmp/.cinik.uu /tmp/.cinik.go
/tmp/.font-unix/.cinik

find / -name .cinik –exec rm -rf {} \; -print

3. Remove all Slapper.C related crontab entries.

Additional Information:

OpenSSL Project
http://www.openssl.org

ISS X-Force Slapper Worm Removal Utility
http://www.iss.net/support/product_utilities

Hope you dont need it :D