Slapper worm targets OpenSSL/Apache systems
| slapper-worm (10098) |  High Risk |
Description:
The Slapper worm has been detected on this system.
Slapper is a worm that exploits a previously disclosed vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process. The worm is a modified derivative of the Apache "Scalper" BSD worm. Current versions of the Slapper worm that are in the wild are targeting Linux servers running Apache with mod_ssl. The worm has distributed denial of service (DDoS) capabilities, as well as backdoor functionality.
Refer to Internet Security Systems Security Alert, September 14, 2002 for more information. See References.
Consequences:
Denial of Service
Remedy:
Any users with installations of OpenSSL up to and including 0.9.6d or 0.9.7beta1 are encouraged to immediately upgrade to the latest version of OpenSSL (currently 0.9.6g).
Administrators should consider one or more of the following temporary workaround solutions to block and/or disable the propagation of the worm:
- Disabling mod_ssl HTTPS connections completely if unneeded:
Comment the following line in "httpd.conf":
Listen 443
to appear as:
#Listen 443 - Disable the SSLv2 protocol if unneeded. Locate the SSLCipherSuite directive in httpd.conf.
If it is commented out, uncomment it.
Append ":!SSLv2" to the end of the directive, and remove any portion that may enable SSLv2, such as: ":+SSLv2".
Ensure that other ciphers are correctly configured. For these changes to take effect, the server must be restarted. - Administrators should consider disabling all compilers on production or externally facing systems. While this is workaround may not block any future variants, it will block propagation of this worm. Disabling compilers on production systems is a good general security practice.
- To disable the worm on an infected host, kill the .bugtraq processes:
killall -9 .bugtraq
Remove the worm files:
rm -f /tmp/.bugtraq /tmp/.uubugtraq /tmp/.bugtraq.c
References:
- BugTraq Mailing List, Thu Oct 03 2002 - 14:37:31 CDT : Cisco Secure Content Accelerator vulnerable to SSL worm .
- CERT Advisory CA-2002-27: Apache/mod_ssl Worm.
- CIAC Information Bulletin M-125: Apache/mod_ssl Worm.
- IBM Internet Security Systems X-Force Database: OpenSSL SSL2 master key buffer overflow.
- Internet Security Systems Security Alert, September 14, 2002: "Slapper" OpenSSL/Apache Worm Propagation.
- CVE-1999-0660: A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.
Platforms Affected:
- Apache HTTP Server 1.3.12
- Apache HTTP Server 1.3.14
- Apache HTTP Server 1.3.17
- Apache HTTP Server 1.3.19
- Apache HTTP Server 1.3.20
- Apache HTTP Server 1.3.23
- Apache HTTP Server 1.3.26
- Apache HTTP Server 1.3.6
- Apache HTTP Server 1.3.9
- Debian Debian Linux
- Gentoo Linux
- MandrakeSoft Mandrake Linux
- RedHat Linux
- Slackware Slackware Linux
- SUSE SuSE Linux
Reported:
Sep 13, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net