Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Worm Creating "Attack Network"

Posted by CmdrTaco on from the no-excuse-for-a-bad-admin dept.

RomSteady writes "In what could be a case of the free pot calling the expensive kettle black, C|Net is reporting that a new Linux worm is "creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data" and has already infected at least 3,500 servers. Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."

7 of 465 comments (clear)

  1. Re:Is this talking about the SSL hole? by alvieboy · · Score: 5, Informative

    Yes.

    Read the CERT Advisory CA-2002-27.

    It's available here

  2. Re:Not everyone is a Linux expert by semaj · · Score: 5, Informative

    Is there a quick, easy way to find out if OpenSSL is even installed on my system?

    Do "telnet your.www.host 80" then type "HEAD / HTTP/1.0" and hit enter. Take a look at the "Server:" line, it'll tell you if OpenSSL is installed and enabled. If it is, and the version is less than 0.9.6e, you should upgrade.

    --
    Meep meep
  3. Further Info by cr@ckwhore · · Score: 5, Informative

    The worm exploits OpenSSL via http port 80. The exploit writes c source files to /tmp, I believe the program is named bugtraq.c. Then, the exploit compiles the program into a hidden binary /tmp/.bugtraq which is executed.

    Once the program is running, it accepts commands on UDP port 2002.

    Simple solution, so your bandwidth won't be exploited for a DDOS, block UDP port 2002.

    The worm can be used for multiple purposes, including execution of arbitrary commands on your machine, various flood attacks, etc.

    You need to patch your machine, before a more dangerous worm comes along. If you can't patch right away, at least block UDP port 2002.

    Additionally, your /tmp (if located on a separate partition) should be mounted noexec.

    --
    Skiers and Riders -- http://www.snowjournal.com
  4. Re:actual apache log lines by tubabeat · · Score: 5, Informative

    The CERT Advisory has information on what to look for in your logs.

    --
    "Linux is a serious competitor"
    - Steve Ballmer, Chief Executive Microsoft Corp.
  5. Re:Is this talking about the SSL hole? by Chris+Hiner · · Score: 5, Informative

    The openssl tarball already has a spec file in it. So just:
    1) Download openssl-0.9.6g.tar.gz from a mirror.
    2) rpm -tb openssl-0.9.6g.tar.gz
    3) rpm -Uvh /usr/src/redhat/RPMS/i386/openssl*
    Even easier.

  6. Re:Where are the RHN Updates ? by Rick_T · · Score: 3, Informative

    > Yeah. Confusing it is. I don't see anything in
    > the RedHat RPM indicating that it is different
    > from stock 0.9.6b.

    You could try looking at the changelog ...

    rpm -q --changelog openssl
    (or rpm -qi --changelog openssl if you prefer.)

    --
    -- Rick
  7. Re:Self Destruct by epsalon · · Score: 3, Informative

    Actually, it will work even better making the command a script that will notify the admin and then kill the server at a given time, e.g.

    echo 'See http://whatever' |mail -s 'YOUR SYSTEM IS HACKED' root; echo killall -9 .bugtraq | at 00:00 GMT

    --

    Make even shorter URLs - 8LN.org