1. Systems Affected
Linux systems running Apache with mod_ssl accessing SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures
2. Overview
I has received reports of self-propagating malicious code which exploits a vulnerability in OpenSSL. This malicious code has been referred to as Apache/mod_ssl worm, linux.slapper.worm and bugtraq.c worm. Reports received by the Intersolutions IS group indicate that the Apache/mod_ssl worm has already infected gammtel of systems. There are currently at least three known variants of this worm in circulation.
3. Identifying infected hosts
During the infection process of the "A" variant of the Apache/mod_ssl worm, an encoded version of the worm's source code is placed in /tmp/.uubugtraq. This file is then decoded into /tmp/.bugtraq.c, compiled with gcc, and the executable binary is subsequently stored at /tmp/.bugtraq. More recent variants follow a similar (but not identical) pattern of infection, and leave behind different files. Because all three variants exploit the same system vulnerabilities, it is possible that systems infected with one variant may also become infected with the others. Therefore, presence of any of the following files on Linux systems running Apache with OpenSSL is indicative of compromise.
Variant "A"
/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/.bugtraq
Variant "B"
/tmp/.unlock.c
/tmp/.update.c
Variant "C"
/tmp/.cinik
/tmp/.cinik.c
/tmp/.cinik.go
/tmp/.cinik.goecho
/tmp/.cinik.uu
4. Description
Active monitoring by Intersolutions IS group of proxy servers of IP network, I was found the maximum bandwidth utilization usages on the UDP based 4156 port. This is the new attack signature of the Slapper worm that targets Apache Web servers running on Linux operating systems have appeared and are reported to be spreading.
The worm, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process, has infected thousands of Web servers worldwide on this weekend.
The worm uses the SSL vulnerability to transfer its malicious source code to a remote machine. Once infected by the Slapper worm, Web servers become hosts in a large peer-to-peer network of other infected servers. Infected servers scan for other Web hosts to infect, and coordinate with other infected hosts using one of a number of UDP ports.
5. How Clean Worm from system
The latest worm is Slapper.C so i am given the procedure to detect the worm on the linux system. May be affective on windows based http server. I am given worm check procedure for Slapper.C in the Linux. Gven below procedure you can change according to given steps for others worms.
Note :- At the first level check in the /tmp dir these exe file exist then may be the machine is comprimise if not exists then cross check and go through whole procedure.
1. Slapper.C is named "unlock" and uses port 4156
exe file name :- /tmp/unlock
port :- 4156 (UDP)
2. Slapper.A uses the name "bugtraq" and relies on UDP port 2002
exe file name :- /tmp/bugtraq
port :- 2002 (UDP)
3. Slapper.B is called "cinik" and uses port 1978
exe file name :- /tmp/cinik
port :- 1978 (UDP)
You can deny these all UDP port at the firewall level as well as update the antivirus signature and windows patch.
Quick Cleanup of new variant:Slapper.C
Quick details... The new worm is using httpd as it's process name... The
way to tell this apart would be with ps auwx.
Look at the difference...
[server@server1 tmp]$ ps auwx | grep httpd
root 893 0.0 2.9 49144 7428 ? S Sep20 0:02
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache 5229 35.8 23.9 777676 60984 ? S Sep21 876:30 httpd
apache 19017 0.0 2.9 49312 7636 ? S 04:02 0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache 19018 0.0 3.0 49308 7872 ? S 04:02 0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache 19019 0.0 2.9 49244 7624 ? S 04:02 0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache 19020 0.0 2.9 49280 7616 ? S 04:02 0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache 19021 0.0 3.0 49272 7724 ? S 04:02 0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache 19022 0.0 2.9 49248 7548 ? S 04:02 0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache 19023 0.0 3.0 49252 7752 ? S 04:02 0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache 19024 0.0 2.9 49216 7472 ? S 04:02 0:00
/usr/sbin/httpd -DHAVE_ACCESS -DHN
apache 19325 0.0 3.4 728204 8736 ? S 04:24 0:00 httpd
Can you guess which ones don't belong there?
If you guessed PID 5229 and 19325 you are correct.
Please be on the lookout for a process named "update" running as the
apache user. This is a backdoor program.
[server@server1 tmp]$ ps auwx | grep update | grep apache
apache 5231 0.0 0.1 1352 280 ? S Sep21 0:00 update
apache 5441 0.0 0.1 1348 276 ? S Sep21 0:00 update
apache 5595 0.0 0.1 1348 280 ? S Sep21 0:00 update
Quick clean up instructions (as root):
1. Locate and kill the worm process.
netstat -anp | grep 4156 | grep -i UDP
pstree -p PID#
kill -9
2. Locate and kill the backdoor process.
ps -aux | grep update | grep apache
pstree -p PID#
kill -9
3. Disable .unlock
Cd /tmp
Chown root.root .unlock
Chmod 000 .unlock
4.Run the TCPDUMP as root
command #tcpdump port 4156
"No out put related to this port"
Note for Updating the OpenSSL given below
URL:- http://www.openssl.org
Combined patches for OpenSSL 0.9.6d:
http://www.openssl.org/news/patch_20020730_0_9_6d.txt
Combined patches for OpenSSL 0.9.7 beta 2:
http://www.openssl.org/news/patch_20020730_0_9_7.txt
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20020730.txt
6. Example Case Study
http://www.infoworld.com/articles/hn/xml/02/09/24/020924hnslapperspread.xml?s=IDGNS
Following the steps I Have done to remove this worm but this is Slapper.C worm is named "unlock" and suggest to stop that application using the ssl layer and update the ssl version. for new worm which is running on UDP port 4156. as given doc follow the worm cleanup doc. Given with example step by step.
1. Machine :- Intel
2. OS :- Linux 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
3. [root@tegora /root]# httpd -v
Server version: Apache/1.3.19 (Unix) (Red-Hat/Linux)
Server built: Mar 29 2001 12:52:37
4. cd /tmp ( After follow up the doc as given URL)
ls -al
[root@tegora /tmp]# ls -al
total 148
drwxrwxrwt 7 root root 4096 Sep 25 04:02 .
drwxr-xr-x 21 root root 4096 Sep 23 21:23 ..
-rw-rw-r-- 1 root root 12288 Sep 23 23:36 arpWatch.db
-rw-rw-r-- 1 root root 12288 Sep 23 23:36 dnsCache.db
drwxrwxrwt 2 xfs xfs 4096 Sep 23 21:23 .font-unix
-rw-rw-r-- 1 root root 12288 Sep 23 23:36 hostsInfo.db
drwxrwxrwt 2 alok alok 4096 Sep 24 00:50 .ICE-unix
-rw-rw-r-- 1 root root 12288 Sep 23 23:36 icmpWatch.db
-rw-rw-r-- 1 root root 12288 Sep 23 23:36 logger.db
-rw-rw-r-- 1 root root 12288 Sep 23 23:36 LsWatch.db
-rw-rw-rw- 1 root root 5863 Sep 23 23:38 ntop.access.log
-rw-rw-r-- 1 root root 12396 Sep 23 23:36 ntop_pw.db
drwx------ 2 alok alok 4096 Sep 24 00:50 orbit-alok
drwx------ 2 alok alok 4096 Sep 24 00:50 .sawfish-alok
---------- 1 root root 17973 Sep 22 19:46 .unlock
-r--r--r-- 1 root gdm 11 Sep 24 00:50 .X0-lock
drwxrwxrwt 2 root root 4096 Sep 24 00:50 .X11-unix
5. ps -auxwww|grep httpd (Nil)
6. ps -auxwww|grep update
[root@tegora /root]# ps -auxwww|grep update
root 7 0.0 0.0 0 0 ? SW Sep23 0:00 [kupdated]
7. netstat -anp|grep 4156 |grep -i UDP (Nil)
8. [root@tegora /root]# pstree -npa
init(1)
|-(keventd,2)
|-(kapm-idled,3)
|-(kswapd,4)
|-(kreclaimd,5)
|-(bdflush,6)
|-(kupdated,7)
|-(mdrecoveryd,8)
|-(khubd,73)
|-(eth0,439)
|-syslogd(502) -m 0
|-klogd(507) -2
|-apmd(563) -p 10 -w 5 -W -P /etc/sysconfig/apm-scripts/apmscript
|-automount(612) --timeout 60 /misc file /etc/auto.misc
|-xinetd(631) -stayalive -reuse -pidfile /var/run/xinetd.pid
| |-in.telnetd(10009)
| | `-login(10010)
| | `-bash(10011)
| | `-su(10048) -
| | `-bash(10049)
| | `-pstree(10206) -npa
| `-in.telnetd(10047)
| `-login(10050)
| `-bash(10088)
| `-su(10124) -
| `-bash(10125)
|-sendmail(669)
|-gpm(682) -t ps/2 -m /dev/mouse
|-crond(710)
|-xfs(782) -droppriv -daemon
|-gdm(824) -nodaemon
| |-X(2325) -auth /var/gdm/:0.Xauth :0
| `-gdm(2326) -nodaemon
| `-gdmlogin(2334) --disable-sound --disable-crash-dialog
|-mingetty(2367) tty5
|-mingetty(2369) tty6
|-simpleproxy(5992) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v
| |-simpleproxy(6058) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v
| |-simpleproxy(6060) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v
| |-simpleproxy(9051) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v
| |-simpleproxy(9052) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v
| `-simpleproxy(9053) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v
|-mingetty(6527) tty4
|-mingetty(6537) tty2
|-mingetty(6539) tty3
`-mingetty(6642) tty1
You have new mail in /var/spool/mail/root
[root@tegora /root]#
9. [root@tegora /tmp]# netstat -npa|more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 100.1.200.27:25005 0.0.0.0:* LISTEN
5992/simpleproxy
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
2325/X
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
631/xinetd
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
631/xinetd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
669/sendmail: accep
tcp 0 11 100.1.200.27:23 192.168.12.254:64985 ESTABLISHED
10047/in.telnetd: 6
tcp 0 0 100.1.200.27:25005 192.168.12.172:20600 ESTABLISHED
6060/simpleproxy
tcp 0 0 100.1.200.27:23 192.168.12.254:64970 ESTABLISHED
10009/in.telnetd: 6
tcp 0 0 100.1.200.27:25005 192.168.187.183:800 ESTABLISHED
9052/simpleproxy
tcp 0 0 100.1.200.27:4917 192.168.255.1:5005 ESTABLISHED
9053/simpleproxy
tcp 0 0 100.1.200.27:4916 192.168.255.1:5005 ESTABLISHED
9052/simpleproxy
tcp 0 0 100.1.200.27:4915 192.168.255.1:5005 ESTABLISHED
9051/simpleproxy
tcp 0 0 100.1.200.27:25005 192.168.12.172:20800 ESTABLISHED
6058/simpleproxy
tcp 0 0 100.1.200.27:4781 192.168.255.1:5005 ESTABLISHED
6060/simpleproxy
tcp 0 0 100.1.200.27:4779 192.168.255.1:5005 ESTABLISHED
6058/simpleproxy
tcp 0 0 100.1.200.27:25005 192.168.187.183:700 ESTABLISHED
9051/simpleproxy
tcp 0 0 100.1.200.27:25005 192.168.187.183:600 ESTABLISHED
9053/simpleproxy
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Pat
h
unix 2 [ ACC ] STREAM LISTENING 999 682/gpm /de
v/gpmctl
unix 13 [ ] DGRAM 784 502/syslogd /de
v/log
unix 2 [ ACC ] STREAM LISTENING 1082 782/xfs /tm
p/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 75939 2325/X /tm
p/.X11-unix/X0
unix 2 [ ] DGRAM 158817 10050/login -- alok
unix 2 [ ] DGRAM 158389 10010/login -- alok
unix 2 [ ] DGRAM 94247 5992/simpleproxy
unix 3 [ ] STREAM CONNECTED 76251 2325/X /tm
p/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 76250 2334/gdmlogin
unix 3 [ ] STREAM CONNECTED 76248 2325/X /tm
p/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 76247 2334/gdmlogin
unix 3 [ ] STREAM CONNECTED 75946 782/xfs /tm
p/.font-unix/fs7100
unix 3 [ ] STREAM CONNECTED 75945 2325/X
unix 3 [ ] STREAM CONNECTED 75950 2325/X /tm
p/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 75941 2326/gdm
unix 2 [ ] DGRAM 1156 824/gdm
unix 2 [ ] DGRAM 1085 782/xfs
unix 2 [ ] DGRAM 1033 710/crond
unix 2 [ ] DGRAM 980 669/sendmail: accep
unix 2 [ ] DGRAM 909 631/xinetd
unix 2 [ ] DGRAM 893 612/automount
unix 2 [ ] DGRAM 858 563/apmd
unix 2 [ ] DGRAM 796 507/klogd
unix 2 [ ] STREAM CONNECTED 508 1/init
You have new mail in /var/spool/mail/root
[root@tegora /tmp]#
10.[root@tegora /tmp]# tcpdump
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket
tcpdump: listening on all devices
15:53:44.051008 eth0 B arp who-has 192.0.0.24 tell 192.0.0.30
15:53:44.051008 lo > gamatelgate.1920 > gamatelgate.domain: 24783+ PTR? 24.0.0.1
92.in-addr.arpa. (41) (DF)
15:53:44.051008 lo < gamatelgate.1920 > gamatelgate.domain: 24783+ PTR? 24.0.0.1
92.in-addr.arpa. (41) (DF)
15:53:44.051008 lo > gamatelgate > gamatelgate: icmp: gamatelgate udp port domain
unreachable (DF) [tos 0xc0]
15:53:44.051008 lo < gamatelgate > gamatelgate: icmp: gamatelgate udp port domain
unreachable (DF) [tos 0xc0]
15:53:44.051008 eth0 > gamatelgate.1920 > nowaaa.now-india.net.in.domain: 24783+
PTR? 24.0.0.192.in-addr.arpa. (41) (DF)
15:53:44.071008 eth0 < hunt179-186.optonline.net.4156 > gamatelgate.4156: udp 41
(DF)
15:53:44.151008 eth0 B arp who-has 192.0.4.11 tell 192.0.4.2
15:53:44.151008 eth0 < 160.114.34.126.4156 > gamatelgate.4156: udp 41 (DF)
15:53:44.191008 eth0 B 0:10:b5:66:a7:67 > Broadcast sap e0 ui/C
15:53:44.201008 eth0 <
11 packets received by filter
855 packets dropped by kernel
575 packets are not read yet
11.[root@tegora /tmp]# tcpdump port 4156
[root@tegora /root]# tcpdump port 4156
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket
tcpdump: listening on all devices
15:55:01.651008 eth0 < 195.12.164.161.4156 > gamatelgate.4156: udp 41 (DF)
15:55:01.671008 eth0 < brftp.bradv.com.4156 > gamatelgate.4156: udp 60 (DF)
15:55:01.691008 eth0 < 61.125.5.117.4156 > gamatelgate.4156: udp 41 (DF) [tos 0xa
0]
15:55:01.721008 eth0 < mail.stjoes.com.4156 > gamatelgate.4156: udp 41 (DF)
15:55:01.731008 eth0 < 211.75.239.80.4156 > gamatelgate.4156: udp 41 (DF)
15:55:01.741008 eth0 < 200.9.100.59.4156 > gamatelgate.4156: udp 41 (DF)
15:55:01.781008 eth0 < 211.120.58.142.4156 > gamatelgate.4156: udp 41 (DF)
15:55:01.841008 eth0 < 211.177.198.24.4156 > gamatelgate.4156: udp 41 (DF)
This traffic will close within the one or two days . Either you can block this port from firewall.
|