1405821
story
randomErr writes
"The worms, Slapper.B and
Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "
use chkrootkit to see if you've gotten it (Score:5, Informative)
version 0.37 has been updated to find the slapper - JB
Re:A few hopes... (Score:5, Informative)
So, in short, it's an old bug, it's been patched, and the only ones getting hit are people who haven't patched their openssl libraries.
Same mantra applies to Linux and MS sysadmins: (Score:5, Informative)
2) Keep up to date on your patch levels.
You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!
Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...
CERT Advisory (Score:5, Informative)
How to test yourself (Score:5, Informative)
http://cert.uni-stuttgart.de/advisories/openssl
It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.
And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.
Pbur
Re:Same mantra applies to Linux and MS sysadmins: (Score:5, Informative)
I would add the following:
3) Don't install a development environment (e.g. gcc, which is required for this worm to propogate) on a publically exposed web server!
Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated :-).
If you must use a compiler on your web server, FFS run the publically accessible service in a chroot jail [tldp.org]!
Old news (Score:2, Informative)
http://www.lwn.net/Articles/10026/
Thanks.
Re:mirror (Score:2, Informative)
here is my mirror of the source:
http://sage.che.pitt.edu/~harrold/tmp/ch
Re:what does it look like? (Score:2, Informative)
Anyway I could be completely wrong, but since these hits were from Web servers I kind of suspect that these servers have not been patched.... God I hope that the log entries below don't indicate that I've been hit and damaged
Anyway the hits looked like this:
Re:comparison (Score:3, Informative)
That said, I would like to see a more in-depth analysis of the proportions of machines which have been hit and are infected. Also, we should bear in mind that the impact is much less on linux as Apache normally runs as a non-root user while IIS almost always runs as a system/admin user.
Re:what does it look like? (Score:3, Informative)
to detect the worm, simply do a ls -al in
you will find
Re:How to test yourself (Score:3, Informative)
Re:The Worm (Score:4, Informative)
One thing that would fix a whole lot of problems is for a security model to be installed that allowed root to delegate low-port and raw-protocol access to non-root accounts.
Granted these particular worms would not have cared, but there have been many remote root exploits that happened only because a daemon needed to be root to create a low port or perform raw protocol manipulation.
Time to chroot apache (Score:2, Informative)
Re:use chkrootkit to see if you've gotten it (Score:2, Informative)
The most common MD5 sig for the 0.37 tarball seems to be: b0feebea67655daa440da92099dd5187
But for some reason I also see a different MD5 for what is supposed to also be 0.37:
edf50a9c8c6bf09b0a9147f2e6168826
BUT that is actually the signature from 0.35
So the bottom line is, try not to panic. Some mirrors are just a little out of sync. I am still a little nervous running this thing as root since I haven't seen anyone report that it's not a trojan itself. I guess some code review is in order.
Re:We're not really catching up (Score:2, Informative)
Slappers. (Score:4, Informative)
A linguistic note for Americans and other aliens....
"Slapper" is an EnglishEnglish term for a woman with an easily exploited hole....
Re:Reasons (Score:3, Informative)
Even if you double the number to account for people running IIS on their home-desktop, you get nowhere near the "infected-to-unaffected" ratio.
Remember that all the "95% market share" babble is about desktop systems, while both Slapper and CodeRed are targetting server systems, where windos is one among many, and by far not the leader.
Re:comparison (Score:4, Informative)
Why? Because of worm propagation history. Slapper is old news by now.
Compare this graph:
http://www.caida.org/analysis/security/code-red/c
It shows that CodeReds growth was exponential at the critical time, which measured only a few hours. Days have passed since Slapper hit the 10k mark, and we haven't seen any considerably higher estimates.
Re:what does it look like? (Score:5, Informative)
[Sun Sep 22 12:45:51 2002] [error] mod_ssl: SSL handshake failed (server YOURSERVER:443, client aaa.bbb.ccc.ddd) (OpenSSL library error follows)
[Sun Sep 22 12:45:51 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
Backwards (Score:3, Informative)
Perhaps I misread this idea tho?
Re:Slapper: The threat that wasn't? (Score:2, Informative)
Re:Source Code? (Score:3, Informative)
Not good enough, I don't think.
I'm seeing remote ports 2140:2144 being used to attempt to connect to port 443.
So, I'm denying port 443 incoming and monitoring all outgoing unaccounted for udp. (Yes, we were infected.)
Watch for trojans! Use your own binaries! (Score:3, Informative)
It does very little good to check for a rootkit when all the good GNU stuff in /bin has been trojaned...
-B
libsafe ! (Score:5, Informative)
It transparently replaces the libc functions that are the usual targets of stack smashing attacks, and checks whether the stack frame has been overrun. If the stack has been smashed, the process gets terminated forcefully, and root (or other designated contact) gets an e-mail with all the details.
This has been out for several years now, and I am amazed that no major distribution includes this in a standard server install.
-Steve
It's NOT a Linux Worm (Score:2, Informative)
While the current generation of Slapper targets only OpenSSL on Linux, it will try its attack on any system. And, with a little code tweaking, the next generation of Slapper could hammer on any OS that uses older versions of OpenSSL such as AIX, Solaris, Windows. In short, pretty much any OS that uses OpenSSL is potentially a victim.
Could you have it? If you're a Unix/Linux admin, use chkroot version 0.37 and up to find out. It's available at:
http://www.chkrootkit.org/
In any case, anyone who uses OpenSSL should update with OpenSSL 0.9.6g or higher ASAP. And, while you're at, be certain to relink everything since OpenSSL isn't used just by Apache. ISC, for example, used it in their BIND 9.1. Slapper wouldn't hit BIND, but would you care to bet that someone couldn't modify the code to launch a BIND attack--and aren't we all really, really sick of BIND getting bungled?
For more on Slapper, and a listing of patches for many operating systems see:
Slapper: The FUD and the Danger
http://www.practical-tech.com/network/n09
Finally, most of these patches, which would have stopped Slapper dead, were available in late July/early August. Consider it more proof that security is a full time system administrator job.
Steven