Linux/Slapper-A is a worm which tries to exploit a buffer overflow vulnerability in the OpenSSL component of SSL-enabled Apache web servers. Once active, the worm can be used as a backdoor to start up a range of denial-of-service attacks.
Linux/Slapper-A spreads between systems via TCP port 443 (SSL). Before connecting to this port, the worm connects to TCP port 80 (HTTP) in order to try to customise its attack for specific Apache versions. If a web server other than Apache (or which identifies itself as other than Apache) is found, the worm will not attempt to infect.
The worm looks for:
Red Hat running Apache 1.3.6, 1.3.9, 1.3.12, 1.3.19, 1.3.20, 1.3.22, 1.3.23 and 1.3.26.
SuSE running Apache 1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23.
Mandrake running Apache 1.3.14, 1.3.19, 1.3.20, 1.3.23.
Slackware running Apache 1.3.26.
Debian running Apache 1.3.26.
Gentoo running any version of Apache.
If the system distribution or Apache version cannot be determined, the worm assumes Red Hat running Apache 1.3.23.
Linux/Slapper-A connects via TCP port 443 (SSL) and tries to launch a shell (/bin/sh) on the remote system by exploiting a buffer overflow. The flaw in OpenSSL which allows Linux/Slapper-A to spread was announced and fixed in an OpenSSL Security Advisory of 30 July 2002.
If Linux/Slapper-A successfully breaks into its victim, the worm injects a shell script into the remote shell it has launched. The shell script contains a uuencoded copy of the worm's own source code. The script decodes this source code into the file /tmp/.bugtraq.c, compiles it using gcc into the executable file / tmp/.bugtraq and then executes it. A daemon process called .bugtraq will be visible on infected computers.
Note that the Linux/Slapper-A worm depends on the presence of the gcc compiler on victim computers, and also requires that the compiler be executable by the Apache user. Sophos recommends removing, or limiting access to, the compiler on production web servers.
Once active, Linux/Slapper-A opens up a backdoor which can be contacted via UDP port 2002. The backdoor is intended to allow a range of attacks to be initiated from infected computers, such as: executing arbitrary commands; creating TCP floods; creating DNS floods and searching for email addresses on disk.
Recovery
Search for and kill any running processes named:
.bugtraq
Delete these files, if they exist:
/tmp/.bugtraq
/tmp/.bugtraq.c
/tmp/.uubugtraq
http://www.sophos.com/virusinfo/analyses/linuxslappera.html
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster