Security Incidents mailing list archives

Re: New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)

From: Tom Sands <tsands () rackspace com>
Date: Mon, 23 Sep 2002 10:22:32 -0500

Quick Cleanup of new variant:

Quick details... The new worm is using httpd as it's process name... The
way to tell this apart would be with ps auwx.

Look at the difference...

[server@server1 tmp]$ ps auwx | grep httpd
root       893  0.0  2.9 49144 7428 ?        S    Sep20   0:02
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache    5229 35.8 23.9 777676 60984 ?      S    Sep21 876:30 httpd

apache 19017 0.0 2.9 49312 7636 ? S 04:02 0:00

/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19018  0.0  3.0 49308 7872 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19019  0.0  2.9 49244 7624 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19020  0.0  2.9 49280 7616 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19021  0.0  3.0 49272 7724 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19022  0.0  2.9 49248 7548 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19023  0.0  3.0 49252 7752 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19024  0.0  2.9 49216 7472 ?        S    04:02   0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache   19325  0.0  3.4 728204 8736 ?       S    04:24   0:00 httpd

Can you guess which ones don't belong there?

If you guessed PID 5229 and 19325 you are correct.

Please be on the lookout for a process named "update" running as the
apache user.  This is a backdoor program.

[server@server1 tmp]$ ps auwx | grep update | grep apache
apache    5231  0.0  0.1  1352  280 ?        S    Sep21   0:00 update

apache 5441 0.0 0.1 1348 276 ? S Sep21 0:00 updateapache 5595 0.0 0.1 1348 280 ? S Sep21 0:00 update



Quick clean up instructions (as root):

1. Locate and kill the worm process.

netstat -anp | grep 4156 | grep -i UDP
pstree -p  PID#
kill -9

2. Locate and kill the backdoor process.

ps -aux | grep update | grep apache
pstree -p  PID#
kill -9

3. Disable .unlock

Cd /tmp
Chown root.root .unlock
Chmod 000 .unlock



--
Tom Sands
Chief Network Engineer
Rackspace Managed Hosting
(210)892-4000




H. Morrow Long wrote:

Several (see http://diswww.mit.edu/charon/nanog/52239) have noticed
Slapper using UDP port 4156 today (and apparently yesterday as well
as I can see from netflow logs).

I've also noticed a Slapper variant apparently using UDP port 1978
today as well (one of our hosts on which Slapper is no longer active
is continuing to receive UDP packets to and from port 1978 from many
Internet sites).

H. Morrow Long
University Information Security Officer
Director, Information Security Office
Yale University, ITS

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, management andtracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well) H. Morrow Long (Sep 22)
- Re: New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well) Tom Sands (Sep 24)