[cobalt-security] Fw: New variants of Slapper worm using UDP ports other than 2002today -- 1978 and 4156 -- (and they were apparently active yesterday as well)

["Fragga" <fragga@xxxxxxxxxxxx>]

just for your info regarding the new variant of slapper using differnt proc
name in caase anyones interested.

fragga

----- Original Message -----
From: "Tom Sands" <tsands@xxxxxxxxxxxxx>
To: "H. Morrow Long" <morrow.long@xxxxxxxx>; <incidents@xxxxxxxxxxxxxxxxx>
Sent: Monday, September 23, 2002 10:22 AM
Subject: Re: New variants of Slapper worm using UDP ports other than
2002today -- 1978 and 4156 -- (and they were apparently active yesterday as
well)


> Quick Cleanup of new variant:
>
> Quick details... The new worm is using httpd as it's process name... The
> way to tell this apart would be with ps auwx.
>
> Look at the difference...
>
> [server@server1 tmp]$ ps auwx | grep httpd
> root       893  0.0  2.9 49144 7428 ?        S    Sep20   0:02
> /usr/sbin/httpd -DHAVE_ACCESS -DHN
> apache    5229 35.8 23.9 777676 60984 ?      S    Sep21 876:30 httpd
>
> apache   19017  0.0  2.9 49312 7636 ?        S    04:02   0:00
> /usr/sbin/httpd -DHAVE_ACCESS -DHN
> apache   19018  0.0  3.0 49308 7872 ?        S    04:02   0:00
> /usr/sbin/httpd -DHAVE_ACCESS -DHN
> apache   19019  0.0  2.9 49244 7624 ?        S    04:02   0:00
> /usr/sbin/httpd -DHAVE_ACCESS -DHN
> apache   19020  0.0  2.9 49280 7616 ?        S    04:02   0:00
> /usr/sbin/httpd -DHAVE_ACCESS -DHN
> apache   19021  0.0  3.0 49272 7724 ?        S    04:02   0:00
> /usr/sbin/httpd -DHAVE_ACCESS -DHN
> apache   19022  0.0  2.9 49248 7548 ?        S    04:02   0:00
> /usr/sbin/httpd -DHAVE_ACCESS -DHN
> apache   19023  0.0  3.0 49252 7752 ?        S    04:02   0:00
> /usr/sbin/httpd -DHAVE_ACCESS -DHN
> apache   19024  0.0  2.9 49216 7472 ?        S    04:02   0:00
> /usr/sbin/httpd -DHAVE_ACCESS -DHN
> apache   19325  0.0  3.4 728204 8736 ?       S    04:24   0:00 httpd
>
>
> Can you guess which ones don't belong there?
>
> If you guessed PID 5229 and 19325 you are correct.
>
> Please be on the lookout for a process named "update" running as the
> apache user.  This is a backdoor program.
>
> [server@server1 tmp]$ ps auwx | grep update | grep apache
> apache    5231  0.0  0.1  1352  280 ?        S    Sep21   0:00 update
>
> apache    5441  0.0  0.1  1348  276 ?        S    Sep21   0:00 update
>
> apache    5595  0.0  0.1  1348  280 ?        S    Sep21   0:00 update
>
>
> Quick clean up instructions (as root):
>
> 1. Locate and kill the worm process.
>
> netstat -anp | grep 4156 | grep -i UDP
> pstree -p  PID#
> kill -9
>
> 2. Locate and kill the backdoor process.
>
> ps -aux | grep update | grep apache
> pstree -p  PID#
> kill -9
>
> 3. Disable .unlock
>
> Cd /tmp
> Chown root.root .unlock
> Chmod 000 .unlock
>
>
>
> --
> Tom Sands
> Chief Network Engineer
> Rackspace Managed Hosting
> (210)892-4000
>
>
>
>
> H. Morrow Long wrote:
>
> > Several (see http://diswww.mit.edu/charon/nanog/52239) have noticed
> > Slapper using UDP port 4156 today (and apparently yesterday as well
> > as I can see from netflow logs).
> >
> > I've also noticed a Slapper variant apparently using UDP port 1978
> > today as well (one of our hosts on which Slapper is no longer active
> > is continuing to receive UDP packets to and from port 1978 from many
> > Internet sites).
> >
> > H. Morrow Long
> > University Information Security Officer
> > Director, Information Security Office
> > Yale University, ITS
> >
> >
> >
>
> --------------------------------------------------------------------------
--
> >
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management and
> > tracking system please see: http://aris.securityfocus.com
> >
> >
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>