[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Possible scalper Worm
- Subject: Re: [cobalt-security] Possible scalper Worm
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 5 May 2004 15:09:26 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Alain,
> <-- snip -->
> Chkrootkit detected the following changes on your server:
>
> --------------------------------------------------------------------
>
> +Checking `scalper'... Warning: Possible Scalper Worm installed
>
> --------------------------------------------------------------------
> <-- snip -->
>
> As far as I know, scalper worm only infects FreeBSD based systems anyway?
> Is there a need to pay particular attention to this warning?
No, Scalper could also infect the RaQs, but there have been patches a long
time ago which fixed the vulnerability.
However, the way chkrootkit runs the Scalper tests can lead to false
positives.
These are the tests that Chkrootkit runs to detect Scalper:
ls -la /tmp/.uua
ls -la /tmp/.a
netstat -an|egrep 0.0:2001
So the test will say "Warning: Possible Scalper Worm installed" if either one
of the two files shown above exists in /tmp/, or it will report Scalper being
present if something has bound to port 2001 on localhost.
The most likely cause for a false positive report is that NAMED has bound to
port 2001/UDP. BIND binds itself to port 53, but also used a fairly random
extra port for UDP, which sometimes can happend to be port 2001.
Please do the following:
Check if the files /tmp/.uua or /tmp/.a are present.
Then check what has bound to port 2001:
netstat -tupan|egrep 0.0:2001
If that query reports ....
udp 0 0 0.0.0.0:2001 0.0.0.0:*
24191/named
.... then you know where the false positive comes from.
To fix the issue in that case just restart named and then run chkrootkit
again.
If netstat reports any other process bound to 2001 than "named" in the case
above, then you should be careful and investigate further.
--
With best regards,
Michael Stauber