Security Incidents mailing list archives
Re: New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)
From: Tom Sands <tsands () rackspace com>
Date: Mon, 23 Sep 2002 10:22:32 -0500
Quick Cleanup of new variant: Quick details... The new worm is using httpd as it's process name... The way to tell this apart would be with ps auwx. Look at the difference... [server@server1 tmp]$ ps auwx | grep httpd root 893 0.0 2.9 49144 7428 ? S Sep20 0:02 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 5229 35.8 23.9 777676 60984 ? S Sep21 876:30 httpdapache 19017 0.0 2.9 49312 7636 ? S 04:02 0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19018 0.0 3.0 49308 7872 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19019 0.0 2.9 49244 7624 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19020 0.0 2.9 49280 7616 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19021 0.0 3.0 49272 7724 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19022 0.0 2.9 49248 7548 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19023 0.0 3.0 49252 7752 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19024 0.0 2.9 49216 7472 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19325 0.0 3.4 728204 8736 ? S 04:24 0:00 httpd
Can you guess which ones don't belong there? If you guessed PID 5229 and 19325 you are correct. Please be on the lookout for a process named "update" running as the apache user. This is a backdoor program. [server@server1 tmp]$ ps auwx | grep update | grep apache apache 5231 0.0 0.1 1352 280 ? S Sep21 0:00 updateapache 5441 0.0 0.1 1348 276 ? S Sep21 0:00 update apache 5595 0.0 0.1 1348 280 ? S Sep21 0:00 update
Quick clean up instructions (as root): 1. Locate and kill the worm process. netstat -anp | grep 4156 | grep -i UDP pstree -p PID# kill -9 2. Locate and kill the backdoor process. ps -aux | grep update | grep apache pstree -p PID# kill -9 3. Disable .unlock Cd /tmp Chown root.root .unlock Chmod 000 .unlock -- Tom Sands Chief Network Engineer Rackspace Managed Hosting (210)892-4000 H. Morrow Long wrote:
Several (see http://diswww.mit.edu/charon/nanog/52239) have noticed Slapper using UDP port 4156 today (and apparently yesterday as well as I can see from netflow logs). I've also noticed a Slapper variant apparently using UDP port 1978 today as well (one of our hosts on which Slapper is no longer active is continuing to receive UDP packets to and from port 1978 from many Internet sites). H. Morrow Long University Information Security Officer Director, Information Security Office Yale University, ITS----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well) H. Morrow Long (Sep 22)
- Re: New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well) Tom Sands (Sep 24)