Security Incidents mailing list archives
Re: Slapper questions
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Thu, 24 Oct 2002 09:08:53 +0200 (CEST)
On Wed, 23 Oct 2002, Griff Palmer wrote:
I'm trying to learn more about how the Apache/mod_ssl worm variants operate. Last month chkrootkit discovered evidence of the Slapper worm on my RedHat 7.2 server. I found .bugtraq.c in my /tmp directory and eliminated it. I updated my openssl to 0.9.6g-1. I blocked port 443 on my firewall.
Did you relink all the software that does use openssl as well? ...
I've blocked UDP packets on ports 1812 and 1813. (Looking at the CERT bulletin it looks as if I should also block 1978, 2002 and 4156.) I've commented out the listen 443 line in my httpd.conf file.
The only sane blocking rules are to block everything and open up those port you must absolutely use. It seems you have not done so yet. Hugo. -- All email sent to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Slapper questions Griff Palmer (Oct 23)
- Re: Slapper questions Stephen Smoogen (Oct 24)
- Re: Slapper questions Matt Harris (Oct 24)
- Re: Slapper questions Hugo van der Kooij (Oct 25)
- Re: Slapper questions Matt Harris (Oct 24)
- Re: Slapper questions Hugo van der Kooij (Oct 24)
- <Possible follow-ups>
- Re: Slapper questions Cian Whalley (Oct 28)
- Re: Slapper questions Stephen Smoogen (Oct 24)