Security Incidents mailing list archives

Re: Linux Slapper Worm and Linksys

From: Pavel Lozhkin <pavel () atrivo com>
Date: Fri, 20 Sep 2002 15:35:22 +0400

I can't claim that the reason of that is *exactly* Slapper.....butlinksys in firm where i'm part time security consultant has the sameproblem. It died yesterday and was replaced by CISCO (ohhh......goodchoice i guess) after IDS had detected Slapper scan.


So that i can *CONFIRM* this

Mike Lewinski wrote:

Unless the Linksys runs a service on tcp/443 (or udp/2002 perhaps), I
doubt it's the same problem.

With the Cisco 675s, I believe their http implementation had it's own
overflows and was knocked out by the requests.

In this case, it's more likely that the poor Linksys got crushed by the
load of scanning. An old 2518 we have still in service showed almost 90%
of available memory consumed by the worm. It also increased cpu
utilization from 3% to over 50%, and caused a noticeable increase in
interface errors on both LAN and WAN ports in another case.

Mike


----- Original Message -----
From: "James Williams" <jwilliams () mail wtamu edu>
To: <incidents () securityfocus com>
Sent: Thursday, September 19, 2002 7:11 AM
Subject: Linux Slapper Worm and Linksys

Has anybody heard of or seen the Slapper worm DoS a Linksys SOHO router

out

of commission? A co-worker whose machine had been infected over the


weekend

had his linksys router die over the same period that his box had been
infected with the worm. I know that Nimda had a similar affect on the


Cisco

67x Series ADSL routers running a certain firmware revision and I was
wondering if the Slapper had a similar affect with the Linksys SOHO


routers.


James Williams
Network Systems Technician
West Texas A&M University
http://www.wtamu.edu
Phone: (806) 651-2162
Email: jwilliams () mail wtamu edu


----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com


--
Pavel
ICQ UIN 39596913 8990192



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Linux Slapper Worm and Linksys James Williams (Sep 19)
- Re: Linux Slapper Worm and Linksys Johannes Ullrich (Sep 19)
- <Possible follow-ups>
- Re: Linux Slapper Worm and Linksys Mike Lewinski (Sep 19)
  - Re: Linux Slapper Worm and Linksys Pavel Lozhkin (Sep 20)