New Linux Worm Found in the Wild

randomErr writes "The worms, Slapper.B and Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "

use chkrootkit to see if you've gotten it

[motorsabbath]

http://www.chkrootkit.org/

version 0.37 has been updated to find the slapper - JB

Re:A few hopes...

[larien]

The patches have been out for over a month, I'm pretty sure of that. I downloaded the patches as soon as Debian had the new ones online.

So, in short, it's an old bug, it's been patched, and the only ones getting hit are people who haven't patched their openssl libraries.

Same mantra applies to Linux and MS sysadmins:

[bittmann]

1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "helpfully" been activated in the base install); and

2) Keep up to date on your patch levels.

You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!

Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...

CERT Advisory

[Anonymous Coward]

http://www.cert.org/advisories/CA-2002-27.html [cert.org]

How to test yourself

[pbur]

If you were like me and wondered if after the OpenSSL upgrade that you actually patched everything right, you can compile and run this program to find out:

http://cert.uni-stuttgart.de/advisories/openssl- ss lv2-master/openssl-sslv2-master.c

It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.

And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.

Pbur

Re:Same mantra applies to Linux and MS sysadmins:

[petard]

I would add the following:

3) Don't install a development environment (e.g. gcc, which is required for this worm to propogate) on a publically exposed web server!

Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated :-).

If you must use a compiler on your web server, FFS run the publically accessible service in a chroot jail [tldp.org]!

Old news

[MiniChaz]

Lets just hope Taco isn't doing too much sys admin work these days because this is really old news. Slapper was spotted over a week ago and the news appeared on LWN at the URL below.

http://www.lwn.net/Articles/10026/

Thanks.

Re:mirror

[gimpboy]

here is the list of mirrors from the main page:

• Australian Mirror [wiretapped.net] (Thanks to Grant Bayley)
  
• German Mirror [uni-stuttgart.de] (Thanks to Tom Fischer)
  
• Polish Mirror [icm.edu.pl] (Thanks to Rafal Maszkowski)
  
• US Mirror [reznor.com] (Thanks to Aj Effin ReznoR)
  
• US Mirror [semalug.org] (Thanks to Tim Lyons)
  
• US Mirror [chkrootkit.org] (Thanks to Gareth Bromley)
  
• UK Mirror [chkrootkit.org] (Thanks to Gareth Bromley)
  

here is my mirror of the source:
http://sage.che.pitt.edu/~harrold/tmp/chr ootkit.ta r.gz

Re:what does it look like?

[EkiM in De]

Well I'm not entirely sure but I found that in my error_log a couple of bad hits from other Apache Servers. I found the Apache Test page on these servers which I suspect is a bit of a giveaway that perhaps these are not active servers.
Anyway I could be completely wrong, but since these hits were from Web servers I kind of suspect that these servers have not been patched.... God I hope that the log entries below don't indicate that I've been hit and damaged
Anyway the hits looked like this:

[Mon Sep 23 08:16:53 2002] [error] [client xx.xx.xx.xx] client sent HTTP/1.1 req
uest without hostname (see RFC2616 section 14.23): /
[Mon Sep 23 08:16:53 2002] [error] [client xx.xx.xx.xx] client sent HTTP/1.1 req
uest without hostname (see RFC2616 section 14.23): /
[Mon Sep 23 08:16:53 2002] [error] [client xx.xx.xx.xx] client sent HTTP/1.1 req
uest without hostname (see RFC2616 section 14.23): /
[Mon Sep 23 08:17:04 2002] [error] mod_ssl: SSL handshake failed (server www.example.com:443, client xx.xx.xx.xx) (OpenSSL library error follows)
[Mon Sep 23 08:17:04 2002] [error] OpenSSL: error:1406B458:lib(20):func(107):rea
son(1112)
[ Mon Sep 23 08:17:18 2002] [error] mod_ssl: SSL handshake failed (server www.example.com:443, client xx.xx.xx.xx) (OpenSSL library error follows)
[Mon Sep 23 08:17:18 2002] [error] OpenSSL: error:1406B458:lib(20):func(107):rea
son(1112)
[ Mon Sep 23 08:17:18 2002] [error] mod_ssl: SSL handshake failed (server www.example.com:443, client xx.xx.xx.xx) (OpenSSL library error follows)
[Mon Sep 23 08:17:18 2002] [error] OpenSSL: error:1406B458:lib(20):func(107):rea
son(1112)

Re:comparison

[larien]

It doesn't prove that much as there may be fewer Apache-SSL sites on linux than there are IIS sites. Code Red hit all IIS boxes, Slapper only hits Apache on linux, and even then, it requires the presence of gcc and some other conditions to be met before it works.

That said, I would like to see a more in-depth analysis of the proportions of machines which have been hit and are infected. Also, we should bear in mind that the impact is much less on linux as Apache normally runs as a non-root user while IIS almost always runs as a system/admin user.

Re:what does it look like?

[ceejayoz]

Posted earlier in the thread:

to detect the worm, simply do a ls -al in /tmp
you will find .bugtraq.c file etc etc

Re:How to test yourself

[jooniqzb1tch]

be sure to check your sendmail as well if you're using TLS,possibly stunnel and any other ssl enabled server you run .. (well it does not check ssh). I had patched apache immediately but this tool made me realise I had forgotten about sendmail :)

Re:The Worm

[ajs]

Also, come the 2.6 kernel, and pluggable security modules, installing stack protectors and tiered security models will be more commonplace and a lot of the stupid holes that have allowed these attacks will simply go away.

One thing that would fix a whole lot of problems is for a security model to be installed that allowed root to delegate low-port and raw-protocol access to non-root accounts.

Granted these particular worms would not have cared, but there have been many remote root exploits that happened only because a daemon needed to be root to create a low port or perform raw protocol manipulation.

Time to chroot apache

[Icy]

I don't know why more people don't chroot apache or patch [home.iae.nl] to use chroot(2). It can be a pain at times, but it can't be worse then having to reformat and reinstall the entire os because your are not sure what was tampered with. I know chroot is not perfect and you can break out of it, but as long as you are carefull about what goes in it, you are relatively safe. It would at least keep rootkits away from gcc, which seems to be required for most of these rootkits.

Re:use chkrootkit to see if you've gotten it

[RudeDude]

FYI
The most common MD5 sig for the 0.37 tarball seems to be: b0feebea67655daa440da92099dd5187

But for some reason I also see a different MD5 for what is supposed to also be 0.37:
edf50a9c8c6bf09b0a9147f2e6168826
BUT that is actually the signature from 0.35

So the bottom line is, try not to panic. Some mirrors are just a little out of sync. I am still a little nervous running this thing as root since I haven't seen anyone report that it's not a trojan itself. I guess some code review is in order. :)

Re:We're not really catching up

[rindeee]

10% of what market you genius? The sector that matters here is machines with direct connection to the Internet. In that sector, Linux outnumbers Windows boxes by a strong (about 3.5 to 1 according to latest Netcraft stats giving Linux/Apache around 60% market share). Me thinks an "Introduction to Elementary Statistics" is in order my friend.

Slappers.

[burbledrone]

A linguistic note for Americans and other aliens....

"Slapper" is an EnglishEnglish term for a woman with an easily exploited hole....

Re:Reasons

[Tom]

No, you are actually wrong on that. If you compare the number of IIS servers (they're all windos) and the number of Apache/Linux servers, then Apache/Linux is up front.
Even if you double the number to account for people running IIS on their home-desktop, you get nowhere near the "infected-to-unaffected" ratio.

Remember that all the "95% market share" babble is about desktop systems, while both Slapper and CodeRed are targetting server systems, where windos is one among many, and by far not the leader.

Re:comparison

[Tom]

Yes, I actually do believe that we are somewhere near the peak. Maybe not quite yet, maybe we've already passed it.

Why? Because of worm propagation history. Slapper is old news by now.

Compare this graph:
http://www.caida.org/analysis/security/code-red/co deredv2_analysis.xml#infectionrate [caida.org]

It shows that CodeReds growth was exponential at the critical time, which measured only a few hours. Days have passed since Slapper hit the 10k mark, and we haven't seen any considerably higher estimates.

Re:what does it look like?

[KMitchell]

You'll get some additional stuff in your access log and potentially error log but the telltale sign that (on a patched system) someone is pinging you for the exploit is something like this in your ssl_error_log:

[Sun Sep 22 12:45:51 2002] [error] mod_ssl: SSL handshake failed (server YOURSERVER:443, client aaa.bbb.ccc.ddd) (OpenSSL library error follows)
[Sun Sep 22 12:45:51 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long

Backwards

[mgkimsal2]

I think the idea is that the slapper worm will try to grab something from server X (which it believes to be infected) and it tries to run that. If I replaced what it was expecting with something else, that can't be my fault - an external entity was grabbing code off my servers and executing it, not me.

Perhaps I misread this idea tho?

Re:Slapper: The threat that wasn't?

[Dionysus]

Not all Apache servers run on Linux. Not all Linux systems run Apache. Not all Linux/w Apache has mod_ssl.

Re:Source Code?

[whovian]

one might write a wee proggie to sit on UDP port 2002,

Not good enough, I don't think.

I'm seeing remote ports 2140:2144 being used to attempt to connect to port 443.
So, I'm denying port 443 incoming and monitoring all outgoing unaccounted for udp. (Yes, we were infected.)

Watch for trojans! Use your own binaries!

[Wee]

Since chkrootkit normally uses lots of stuff that usually lives in /bin (strings, ps, ls, find, etc), make extra sure that you use the '-p <directory>' flag when you run it. That tells chkrootkit to look for the binaries it needs in directory instead of wherever they are found in your path. Before you can do this, however, you need to (from a fresh, known-to-be-clean install) either copy all the needed binaries to a CD-R or to a partition re-mounted as read-only. A real paranoid would re-compile static versions of those utils and then use those. YMMV.

It does very little good to check for a rootkit when all the good GNU stuff in /bin has been trojaned...

-B

libsafe !

[mccrew]

Every time I hear about anohter buffer overflow, I scratch my head and ask, "Why doesn't anybody use libsafe [avayalabs.com]? This is a library which, once installed, protects all processes, regardless whether they have been patched or not.

It transparently replaces the libc functions that are the usual targets of stack smashing attacks, and checks whether the stack frame has been overrun. If the stack has been smashed, the process gets terminated forcefully, and root (or other designated contact) gets an e-mail with all the details.

This has been out for several years now, and I am amazed that no major distribution includes this in a standard server install.

-Steve

It's NOT a Linux Worm

[sjvn]

And, it's not an Apache worm either. It's an OpenSSL worm that exploits security holes in OpenSSL 0.9.6f and earlier.

While the current generation of Slapper targets only OpenSSL on Linux, it will try its attack on any system. And, with a little code tweaking, the next generation of Slapper could hammer on any OS that uses older versions of OpenSSL such as AIX, Solaris, Windows. In short, pretty much any OS that uses OpenSSL is potentially a victim.

Could you have it? If you're a Unix/Linux admin, use chkroot version 0.37 and up to find out. It's available at:

http://www.chkrootkit.org/

In any case, anyone who uses OpenSSL should update with OpenSSL 0.9.6g or higher ASAP. And, while you're at, be certain to relink everything since OpenSSL isn't used just by Apache. ISC, for example, used it in their BIND 9.1. Slapper wouldn't hit BIND, but would you care to bet that someone couldn't modify the code to launch a BIND attack--and aren't we all really, really sick of BIND getting bungled?

For more on Slapper, and a listing of patches for many operating systems see:

Slapper: The FUD and the Danger
http://www.practical-tech.com/network/n091 82002.ht m

Finally, most of these patches, which would have stopped Slapper dead, were available in late July/early August. Consider it more proof that security is a full time system administrator job.

Steven