[PLUG] Slapper.C
Bill Thoen
bthoen at gisnet.com
Tue Oct 1 19:58:00 UTC 2002
Keith Nasman wrote:
> I know the recommended cure is a total rebuild but what are the steps to
> purge the system of this worm? I'll be pouring over the RPM verify output
> pretty quick here. I've deleted the files in /tmp and of course killed the
> .cinik process.
Because it's a complete compromise (i.e. they can run any code
they like on your system) the only sure cure is a complete
rebuild. But I think the risk vs cost to rebuild equation differs
depending on what's at risk. To me, I can afford to shut off my
one server for a few days while I scream and kick and chew the
rug trying to figure out how to repair the mess. Others may not
have that luxury and need to be able to show due diligence
towards their company's internet security. So I just pulled the
obvious teeth from the beastie and now watch my logs closer. So
far so good.
Here's some tips I collected for dealing with the A version (UDP
ports are different for the different versions, but for A they
are 2002.):
To look for your own IP in other people's firewall logs:
http://dshield.org/warning_explanation.php
To check what other ports are open:
$ netstat -an | grep -v ^unix
To see what process is bound to each port:
# /usr/sbin/lsof -i -P |more
To check for a listening port 2002
# netstat -an | grep 2002
To check for activity on a port (2002 in this case):
# tcpdump -n udp port 2002
URLs:
http://online.securityfocus.com/
After de-fanging slapper, I had a lot of traffic on port 2002 at
first but it died off rapidly after I wasn't responding to the
infected zombie peers. AS long as you don't see your IP send out
messages (use tcpdump), you're okay and they'll leave you alone
in a few days.
- Bill Thoen
More information about the PLUG
mailing list