Slashdot Mirror
Linux Worm Creating "Attack Network"
RomSteady writes "In what could be a case of the free pot calling the expensive kettle black, C|Net is reporting that a new Linux worm is "creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data" and has already infected at least 3,500 servers. Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."
Yes.
Read the CERT Advisory CA-2002-27.
It's available here
Is there a quick, easy way to find out if OpenSSL is even installed on my system?
Do "telnet your.www.host 80" then type "HEAD / HTTP/1.0" and hit enter. Take a look at the "Server:" line, it'll tell you if OpenSSL is installed and enabled. If it is, and the version is less than 0.9.6e, you should upgrade.
Meep meep
The worm exploits OpenSSL via http port 80. The exploit writes c source files to /tmp, I believe the program is named bugtraq.c. Then, the exploit compiles the program into a hidden binary /tmp/.bugtraq which is executed.
/tmp (if located on a separate partition) should be mounted noexec.
Once the program is running, it accepts commands on UDP port 2002.
Simple solution, so your bandwidth won't be exploited for a DDOS, block UDP port 2002.
The worm can be used for multiple purposes, including execution of arbitrary commands on your machine, various flood attacks, etc.
You need to patch your machine, before a more dangerous worm comes along. If you can't patch right away, at least block UDP port 2002.
Additionally, your
Skiers and Riders -- http://www.snowjournal.com
The CERT Advisory has information on what to look for in your logs.
"Linux is a serious competitor"
- Steve Ballmer, Chief Executive Microsoft Corp.
The openssl tarball already has a spec file in it. So just: /usr/src/redhat/RPMS/i386/openssl*
1) Download openssl-0.9.6g.tar.gz from a mirror.
2) rpm -tb openssl-0.9.6g.tar.gz
3) rpm -Uvh
Even easier.