ssl slapper for linux

Just wanted to let everyone know, if they haven't heard already, there is a worm that is infecting Linux Servers running Apache with OpenSSL enabled.

http://www.f-secure.com/slapper/

here is a brief education rundown of what to do to get rid of it.

To detect the presence of the "Slapper" Worm/Trojan, look first in /tmp for files that have the string "bugtraq" as part of the name. You may find any of the following:

/tmp/.uubugtraq
/tmp/.buqtraq.c
/tmp/.bugtraq

Delete them. It would also be wise to log in as root and do:

find / -name \*bugtraq\* -print

to see if any other files are hidden down your directory chain. Determine if you know what they are or not and move/remove them as you see fit.

Lastly, do a:

ps -ax | grep bugtraq

to look for any processes currently running. If you find them, kill them immediately. A reboot wouldn't hurt, if you can spare the time.

If you do not need SSL for your web server, turn it off. On one of our systems, we are running Redhat 7.3 and just edited the section in /etc/httpd/conf/httpd.conf which reads:

---BEGIN PASTE---
<VirtualHost _default_:443>

# General setup for the virtual host
#DocumentRoot "/etc/httpd/htdocs"
#ServerName new.host.name
#ServerAdmin you@your.address
ErrorLog logs/error_log
TransferLog logs/access_log

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
---END PASTE---

...and set SSLEngine off

Before we did that, we saw that slapper-thingie appear another time or two. Now, it's clean and not getting dumped on (so to speak).

 

 

 

 

Top