Posted by
CmdrTaco
on from the random-dune-reference-here dept.
randomErr writes "The worms, Slapper.B and
Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "
use chkrootkit to see if you've gotten it
by
motorsabbath
·
· Score: 5, Informative
http://www.chkrootkit.org/
version 0.37 has been updated to find the slapper - JB
-- The heat from below can burn your eyes out
Re:A few hopes...
by
larien
·
· Score: 5, Informative
The patches have been out for over a month, I'm pretty sure of that. I downloaded the patches as soon as Debian had the new ones online.
So, in short, it's an old bug, it's been patched, and the only ones getting hit are people who haven't patched their openssl libraries.
Same mantra applies to Linux and MS sysadmins:
by
bittmann
·
· Score: 5, Informative
1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "helpfully" been activated in the base install); and
2) Keep up to date on your patch levels.
You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!
Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...
Re:Same mantra applies to Linux and MS sysadmins:
by
petard
·
· Score: 5, Informative
I would add the following:
3) Don't install a development environment (e.g. gcc, which is required for this worm to propogate) on a publically exposed web server!
Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated:-).
If you must use a compiler on your web server, FFS run the publically accessible service in a chroot jail!
-- .sig: file not found
CERT Advisory
by
Anonymous Coward
·
· Score: 5, Informative
How to test yourself
by
pbur
·
· Score: 5, Informative
If you were like me and wondered if after the OpenSSL upgrade that you actually patched everything right, you can compile and run this program to find out:
http://cert.uni-stuttgart.de/advisories/openssl- ss lv2-master/openssl-sslv2-master.c
It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.
And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.
Also, come the 2.6 kernel, and pluggable security modules, installing stack protectors and tiered security models will be more commonplace and a lot of the stupid holes that have allowed these attacks will simply go away.
One thing that would fix a whole lot of problems is for a security model to be installed that allowed root to delegate low-port and raw-protocol access to non-root accounts.
Granted these particular worms would not have cared, but there have been many remote root exploits that happened only because a daemon needed to be root to create a low port or perform raw protocol manipulation.
Slappers.
by
burbledrone
·
· Score: 4, Informative
A linguistic note for Americans and other aliens....
"Slapper" is an EnglishEnglish term for a woman with an easily exploited hole....
It shows that CodeReds growth was exponential at the critical time, which measured only a few hours. Days have passed since Slapper hit the 10k mark, and we haven't seen any considerably higher estimates.
Re:what does it look like?
by
KMitchell
·
· Score: 5, Informative
You'll get some additional stuff in your access log and potentially error log but the telltale sign that (on a patched system) someone is pinging you for the exploit is something like this in your ssl_error_log:
Every time I hear about anohter buffer overflow, I scratch my head and ask, "Why doesn't anybody use libsafe? This is a library which, once installed, protects all processes, regardless whether they have been patched or not.
It transparently replaces the libc functions that are the usual targets of stack smashing attacks, and checks whether the stack frame has been overrun. If the stack has been smashed, the process gets terminated forcefully, and root (or other designated contact) gets an e-mail with all the details.
This has been out for several years now, and I am amazed that no major distribution includes this in a standard server install.
-Steve
-- Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
Slashdot Mirror
http://www.chkrootkit.org/
version 0.37 has been updated to find the slapper - JB
The heat from below can burn your eyes out
So, in short, it's an old bug, it's been patched, and the only ones getting hit are people who haven't patched their openssl libraries.
1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "helpfully" been activated in the base install); and
2) Keep up to date on your patch levels.
You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!
Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...
http://www.cert.org/advisories/CA-2002-27.html
If you were like me and wondered if after the OpenSSL upgrade that you actually patched everything right, you can compile and run this program to find out:
- ss lv2-master/openssl-sslv2-master.c
http://cert.uni-stuttgart.de/advisories/openssl
It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.
And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.
Pbur
Also, come the 2.6 kernel, and pluggable security modules, installing stack protectors and tiered security models will be more commonplace and a lot of the stupid holes that have allowed these attacks will simply go away.
One thing that would fix a whole lot of problems is for a security model to be installed that allowed root to delegate low-port and raw-protocol access to non-root accounts.
Granted these particular worms would not have cared, but there have been many remote root exploits that happened only because a daemon needed to be root to create a low port or perform raw protocol manipulation.
A linguistic note for Americans and other aliens....
"Slapper" is an EnglishEnglish term for a woman with an easily exploited hole....
Yes, I actually do believe that we are somewhere near the peak. Maybe not quite yet, maybe we've already passed it.
o deredv2_analysis.xml#infectionrate
Why? Because of worm propagation history. Slapper is old news by now.
Compare this graph:
http://www.caida.org/analysis/security/code-red/c
It shows that CodeReds growth was exponential at the critical time, which measured only a few hours. Days have passed since Slapper hit the 10k mark, and we haven't seen any considerably higher estimates.
Assorted stuff I do sometimes: Lemuria.org
You'll get some additional stuff in your access log and potentially error log but the telltale sign that (on a patched system) someone is pinging you for the exploit is something like this in your ssl_error_log:
[Sun Sep 22 12:45:51 2002] [error] mod_ssl: SSL handshake failed (server YOURSERVER:443, client aaa.bbb.ccc.ddd) (OpenSSL library error follows)
[Sun Sep 22 12:45:51 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
It transparently replaces the libc functions that are the usual targets of stack smashing attacks, and checks whether the stack frame has been overrun. If the stack has been smashed, the process gets terminated forcefully, and root (or other designated contact) gets an e-mail with all the details.
This has been out for several years now, and I am amazed that no major distribution includes this in a standard server install.
-Steve
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.