Re: Linux Slapper Worm

[Miroslaw Jaworski <mjaw () ipartners pl>]

* Ajai Khattri (ajai () bitblit net) [020919 09:02] wrote:
> Not seeing any announcement from my vendor (and not wanting to compile 
> SSL from source),
> I set out to see if there was some way of avoiding being infected in the 
> first place. I decided to hack my Apache (1.3.26) source code to send a 
> bogus Server: header

...and you're still vulnerable. 

Don't forget mod_ssl and openssl show their versions if you talk to 
SSL-enabled apache ( src/modules/ssl/ssl_engine_init.c, 
ap_add_version_component ).

So whether another kiddie compile PUD code changing it not to look
for 'Apache', but 'mod_ssl|open_ssl' - you're dead.
Not mentioning another, who won't check server response, but will send
all exploits to every 80 port opened - you're dead too.

Someone can read your "fix", apply it, and think he's safe. Giving 
such "advices" _can_ made whole situation worse - some people out there 
will look for all this "Slapper thing" with smiles thinking they're patched.

Go patch the real hole. 

Regards

MJ.

-- 
Miroslaw.Jaworski () ipartners pl  ( Psyborg )  MJ102-RIPE  Internet Partners
Server Administration Department Manager