Results 1 to 3 of 3
Hybrid View
-
09-23-2002, 08:49 AM #1Web Hosting Guru
- Join Date
- Feb 2002
- Location
- The Netherlands
- Posts
- 308
Propagation of "Slapper" OpenSSL/Apache Worm Variant
Alerts
Internet Security Systems Security Alert
September 22, 2002
Propagation of "Slapper" OpenSSL/Apache Worm Variant
Synopsis:
ISS X-Force has learned of the existence of a variant of the "Slapper" (also
known as Slapper.A) worm that X-Force documented in a X-Force Security Alert
on September 14, 2002. The new variant, named Slapper.B, has several subtle
differences from the first Slapper worm, but it is for the most part an
updated version of its predecessor. Both versions carry the same attack
payload and attempt to exploit a previously disclosed vulnerability in the
Secure Sockets Layer 2.0 (SSLv2) handshake process. Slapper.A and Slapper.B
both target the Linux operating system running the Apache Web server with
OpenSSL.
Impact:
The impact of Slapper.B is the same as that of Slapper.A. Both worms carry
backdoor and distributed denial of service (DDoS) functionality. X-Force noted
that it was significant that source code for Slapper.A was distributed within
the computer underground immediately after the worm was detected in the wild.
Widespread access to the source code has no doubt contributed to the spread of
Slapper variants and X-Force predicts that Slapper will be used as a
development platform for future variants. Slapper.B has infected more than
9500 hosts by September 22, 2002, 16:00 (UTC-4).
Affected Versions:
OpenSSL versions up to and including 0.9.6d and 0.9.7 beta1
Current versions of the Slapper worm only target the following Linux
distributions. The worm may trigger unpredictable results on additional Unix
platforms. Other Unix platforms, as well as Apache with OpenSSL for Windows,
may also be vulnerable to the OpenSSL vulnerability.
Debian Linux, Apache 1.3.26
Red Hat Linux, Apache 1.3.6
Red Hat Linux, Apache 1.3.9
Red Hat Linux, Apache 1.3.12
Red Hat Linux, Apache 1.3.19
Red Hat Linux, Apache 1.3.20
Red Hat Linux, Apache 1.3.23
SuSE Linux, Apache 1.3.12
SuSE Linux, Apache 1.3.17
SuSE Linux, Apache 1.3.19
SuSE Linux, Apache 1.3.20
SuSE Linux, Apache 1.3.23
Mandrake Linux, Apache 1.3.14
Mandrake Linux, Apache 1.3.19
Mandrake Linux, Apache 1.3.20
Mandrake Linux, Apache 1.3.23
Slackware Linux, Apache 1.3.26
Gentoo Linux (Apache version undetermined)
Description:
Please refer to the X-Force Security Alert titled, "Slapper OpenSSL/Apache
Worm Propagation" for general information about the Slapper worm:
http://bvlive01.iss.net/issEn/delive....jsp?oid=21130
The Slapper.B worm has several new features and modifications from the
previous version. These changes are outlined below.
Peer-to-Peer Network
Slapper.B creates a peer-to-peer network of compromised hosts that communicate
on UDP port 4156.
New Functions
Slapper.B has a new function called, "mailme()" that sends an email to
aion@ukr.net containing the IP address and hostname of the infected computer
and, the hostname of the server it is linked to.
Slapper.B contains a new interactive backdoor function. Slapper.A allowed
attackers to execute commands via the peer-to-peer network. Slapper.B has a
supplemental backdoor that listens on TCP port 1052. Attackers must supply a
password before Slapper.B grants an interactive command shell.
Filenames and Process Names
/tmp/httpd - Slapper.B worm binary
/tmp/update - Slapper.B backdoor process
/tmp/.unlock - Gzip compressed file with worm and backdoor source
Slapper.B changes its process name to "httpd", to appear the same as running
Apache Web server process.
Recommendations:
RealSecure 7.0 customers can configure a user-defined event to detect
exploit attempts.
alert tcp any any -> any 443 (content: "TERM=xterm"; content:
"exec bash"; nocase; msg: "XTerm invoked from SSL connection"
RealSecure Server Sensor customers can configure a user-defined event to
detect exploitation attempts. Server Sensor customers should consider creating
a rule to detect the string, "SSL handshake failed" within Apache error log
file.
RealSecure customers can also follow the following steps to configure a
user-defined event to detect the email that Slapper.B sends:
From the Sensor window:
1. Right-click on the sensor and select "Properties".
2. Choose a policy you want to use, and click "Customize".
3. Select the "User Defined Events" tab.
4. Click "Add" on the right hand side of the dialog box.
5. Create an User Defined Event.
6. Type in a name of the event, such as "Slapper.B email".
7. In the "Context" field for each event, select "Email_Receiver".
In the "String" field, type the following for the event:
aion@ukr.net
8. Click "Save", and then "Close".
9. Click "Apply to Sensor" or "Apply to Engine".
RealSecure Server Sensor customers can configure a user-defined event to
detect exploitation attempts. Server Sensor customers should consider creating
a rule to detect the string, "SSL handshake failed" within Apache error log
file.
For more information on RealSecure 7.0 TRONS events, search for "trons" in the
ISS Knowledgebase: http://www.iss.net/support/knowledgebase/.
ISS X-Force has provided detection and assessment support for the Slapper worm
and the OpenSSL vulnerability in X-Press Updates for RealSecure Network Sensor
and Internet Scanner. These XPUs are available now from the ISS Download
Center:
http://www.iss.net/download
Any users with installations of OpenSSL up to and including 0.9.6d or
0.9.7beta1 are encouraged to immediately upgrade to the latest version of
OpenSSL (currently 0.9.6g).
Administrators should consider one or more of the following temporary
workaround solutions to block and/or disable the propagation of the worm:
1) Disabling mod_ssl HTTPS connections completely if unneeded:
Comment the following line in "httpd.conf":
Listen 443
#Listen 443
2) Disable the SSLv2 protocol if unneeded. Locate the SSLCipherSuite
directive in httpd.conf.
If it is commented out, uncomment it.
Append ":!SSLv2" to the end of the directive, and remove any portion which may
enable SSLv2 such as: ":+SSLv2".
Ensure that other ciphers are correctly configured. For these changes to take
effect, the server must be restarted.
3) Administrators should consider disabling all compilers on production or
externally facing systems. While this is workaround may not block any future
variants, it will block propagation of this worm. Disabling compilers on
production systems is a good general security practice.
The Slapper.B worm attempts to disguise itself as a running "httpd" process,
so disabling it won't be as straightforward as disinfecting Slapper.A. To
disable the worm on an infected host, administrators must use the netstat,
ps, and pstree commands to locate suspect processes. Consider the following
commands below to locate potential infections:
1. Locate and kill the worm process.
netstat -anp | grep 4156 | grep -i UDP
pstree -p
kill -9
2. Locate and kill the backdoor process.
ps -aux | grep update | grep apache
pstree -p
kill -9
Additional Information:
OpenSSL Project
http://www.openssl.org
ISS X-Force Database
http://www.iss.net/security_center/static/9714.php
http://www.iss.net/security_center/static/10098.php
Credits:
ISS X-Force would like to thank Cristine Hoepers of the Brazilian
Network Information Center for her assistance.
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.
Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce@iss.net for
permission.
Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.
[B]http://www.HaVa.nl
Reliable hosting and Colocation
-
09-27-2002, 04:00 PM #2Junior Guru Wannabe
- Join Date
- Dec 2001
- Location
- gulf of mexico
- Posts
- 52
hi.. how do you tell if you could be infected?
tia.
regards
what command should we run in ssh?
ciao
oh yeah.. We do not use SSL at al.. and do not have anything from openSSL installed..
still would like to check it out..
thanksLast edited by gargonzo; 09-27-2002 at 04:15 PM.
-
09-27-2002, 04:22 PM #3Junior Guru Wannabe
- Join Date
- Dec 2001
- Location
- gulf of mexico
- Posts
- 52
locate bugtraq.c
find / -name .bugtraq
find / -name bugtraq.c
Originally posted by Cyborg
I got this information from the sun forum.
For Raq owners!
patch is in QA right now. I don't have a timeframe for release, but I have been told "real soon"
In the meantime.....
This is not an official Sun patch or workaround. It works for Tony
Telnet or ssh into your server & become root
edit httpd.conf & append to the end of it the following string
ServerTokens ProductOnly
then cd /tmp
touch .bugtraq.c
ls -al (make sure .bugtraq.c is a 0 byte file)
chmod 000 .bugtraq.c
chattr +i .bugtraq.c
/etc/rc.d/init.d/httpd restart
Tony
Sun Microsystems
all the above shamlessly cont+c --cont+v from rackshack.net forums.. thanks to all who posted there,.,
ciao