Internet Storm Center

Handler on Duty: Johannes Ullrich

Threat Level: green

Loading...

[get complete service list]

Port Information
Protocol	Service	Name
tcp	stat-results	STAT Results
udp	stat-results	STAT Results
udp	p2p	Apache/mod_ssl Worm

Top IPs Scanning
Today	Yesterday

User Comments
Submitted By	Date
Comment
Alok Dadarya	2009-10-04 18:45:22
1. Systems Affected Linux systems running Apache with mod_ssl accessing SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures 2. Overview I has received reports of self-propagating malicious code which exploits a vulnerability in OpenSSL. This malicious code has been referred to as Apache/mod_ssl worm, linux.slapper.worm and bugtraq.c worm. Reports received by the Intersolutions IS group indicate that the Apache/mod_ssl worm has already infected gammtel of systems. There are currently at least three known variants of this worm in circulation. 3. Identifying infected hosts During the infection process of the "A" variant of the Apache/mod_ssl worm, an encoded version of the worm's source code is placed in /tmp/.uubugtraq. This file is then decoded into /tmp/.bugtraq.c, compiled with gcc, and the executable binary is subsequently stored at /tmp/.bugtraq. More recent variants follow a similar (but not identical) pattern of infection, and leave behind different files. Because all three variants exploit the same system vulnerabilities, it is possible that systems infected with one variant may also become infected with the others. Therefore, presence of any of the following files on Linux systems running Apache with OpenSSL is indicative of compromise. Variant "A" /tmp/.uubugtraq /tmp/.bugtraq.c /tmp/.bugtraq Variant "B" /tmp/.unlock.c /tmp/.update.c Variant "C" /tmp/.cinik /tmp/.cinik.c /tmp/.cinik.go /tmp/.cinik.goecho /tmp/.cinik.uu 4. Description Active monitoring by Intersolutions IS group of proxy servers of IP network, I was found the maximum bandwidth utilization usages on the UDP based 4156 port. This is the new attack signature of the Slapper worm that targets Apache Web servers running on Linux operating systems have appeared and are reported to be spreading. The worm, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process, has infected thousands of Web servers worldwide on this weekend. The worm uses the SSL vulnerability to transfer its malicious source code to a remote machine. Once infected by the Slapper worm, Web servers become hosts in a large peer-to-peer network of other infected servers. Infected servers scan for other Web hosts to infect, and coordinate with other infected hosts using one of a number of UDP ports. 5. How Clean Worm from system The latest worm is Slapper.C so i am given the procedure to detect the worm on the linux system. May be affective on windows based http server. I am given worm check procedure for Slapper.C in the Linux. Gven below procedure you can change according to given steps for others worms. Note :- At the first level check in the /tmp dir these exe file exist then may be the machine is comprimise if not exists then cross check and go through whole procedure. 1. Slapper.C is named "unlock" and uses port 4156 exe file name :- /tmp/unlock port :- 4156 (UDP) 2. Slapper.A uses the name "bugtraq" and relies on UDP port 2002 exe file name :- /tmp/bugtraq port :- 2002 (UDP) 3. Slapper.B is called "cinik" and uses port 1978 exe file name :- /tmp/cinik port :- 1978 (UDP) You can deny these all UDP port at the firewall level as well as update the antivirus signature and windows patch. Quick Cleanup of new variant:Slapper.C Quick details... The new worm is using httpd as it's process name... The way to tell this apart would be with ps auwx. Look at the difference... [server@server1 tmp]$ ps auwx \| grep httpd root 893 0.0 2.9 49144 7428 ? S Sep20 0:02 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 5229 35.8 23.9 777676 60984 ? S Sep21 876:30 httpd apache 19017 0.0 2.9 49312 7636 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19018 0.0 3.0 49308 7872 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19019 0.0 2.9 49244 7624 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19020 0.0 2.9 49280 7616 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19021 0.0 3.0 49272 7724 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19022 0.0 2.9 49248 7548 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19023 0.0 3.0 49252 7752 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19024 0.0 2.9 49216 7472 ? S 04:02 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHN apache 19325 0.0 3.4 728204 8736 ? S 04:24 0:00 httpd Can you guess which ones don't belong there? If you guessed PID 5229 and 19325 you are correct. Please be on the lookout for a process named "update" running as the apache user. This is a backdoor program. [server@server1 tmp]$ ps auwx \| grep update \| grep apache apache 5231 0.0 0.1 1352 280 ? S Sep21 0:00 update apache 5441 0.0 0.1 1348 276 ? S Sep21 0:00 update apache 5595 0.0 0.1 1348 280 ? S Sep21 0:00 update Quick clean up instructions (as root): 1. Locate and kill the worm process. netstat -anp \| grep 4156 \| grep -i UDP pstree -p PID# kill -9 2. Locate and kill the backdoor process. ps -aux \| grep update \| grep apache pstree -p PID# kill -9 3. Disable .unlock Cd /tmp Chown root.root .unlock Chmod 000 .unlock 4.Run the TCPDUMP as root command #tcpdump port 4156 "No out put related to this port" Note for Updating the OpenSSL given below URL:- http://www.openssl.org Combined patches for OpenSSL 0.9.6d: http://www.openssl.org/news/patch_20020730_0_9_6d.txt Combined patches for OpenSSL 0.9.7 beta 2: http://www.openssl.org/news/patch_20020730_0_9_7.txt URL for this Security Advisory: http://www.openssl.org/news/secadv_20020730.txt 6. Example Case Study http://www.infoworld.com/articles/hn/xml/02/09/24/020924hnslapperspread.xml?s=IDGNS Following the steps I Have done to remove this worm but this is Slapper.C worm is named "unlock" and suggest to stop that application using the ssl layer and update the ssl version. for new worm which is running on UDP port 4156. as given doc follow the worm cleanup doc. Given with example step by step. 1. Machine :- Intel 2. OS :- Linux 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown 3. [root@tegora /root]# httpd -v Server version: Apache/1.3.19 (Unix) (Red-Hat/Linux) Server built: Mar 29 2001 12:52:37 4. cd /tmp ( After follow up the doc as given URL) ls -al [root@tegora /tmp]# ls -al total 148 drwxrwxrwt 7 root root 4096 Sep 25 04:02 . drwxr-xr-x 21 root root 4096 Sep 23 21:23 .. -rw-rw-r-- 1 root root 12288 Sep 23 23:36 arpWatch.db -rw-rw-r-- 1 root root 12288 Sep 23 23:36 dnsCache.db drwxrwxrwt 2 xfs xfs 4096 Sep 23 21:23 .font-unix -rw-rw-r-- 1 root root 12288 Sep 23 23:36 hostsInfo.db drwxrwxrwt 2 alok alok 4096 Sep 24 00:50 .ICE-unix -rw-rw-r-- 1 root root 12288 Sep 23 23:36 icmpWatch.db -rw-rw-r-- 1 root root 12288 Sep 23 23:36 logger.db -rw-rw-r-- 1 root root 12288 Sep 23 23:36 LsWatch.db -rw-rw-rw- 1 root root 5863 Sep 23 23:38 ntop.access.log -rw-rw-r-- 1 root root 12396 Sep 23 23:36 ntop_pw.db drwx------ 2 alok alok 4096 Sep 24 00:50 orbit-alok drwx------ 2 alok alok 4096 Sep 24 00:50 .sawfish-alok ---------- 1 root root 17973 Sep 22 19:46 .unlock -r--r--r-- 1 root gdm 11 Sep 24 00:50 .X0-lock drwxrwxrwt 2 root root 4096 Sep 24 00:50 .X11-unix 5. ps -auxwww\|grep httpd (Nil) 6. ps -auxwww\|grep update [root@tegora /root]# ps -auxwww\|grep update root 7 0.0 0.0 0 0 ? SW Sep23 0:00 [kupdated] 7. netstat -anp\|grep 4156 \|grep -i UDP (Nil) 8. [root@tegora /root]# pstree -npa init(1) \|-(keventd,2) \|-(kapm-idled,3) \|-(kswapd,4) \|-(kreclaimd,5) \|-(bdflush,6) \|-(kupdated,7) \|-(mdrecoveryd,8) \|-(khubd,73) \|-(eth0,439) \|-syslogd(502) -m 0 \|-klogd(507) -2 \|-apmd(563) -p 10 -w 5 -W -P /etc/sysconfig/apm-scripts/apmscript \|-automount(612) --timeout 60 /misc file /etc/auto.misc \|-xinetd(631) -stayalive -reuse -pidfile /var/run/xinetd.pid \| \|-in.telnetd(10009) \| \| `-login(10010) \| \| `-bash(10011) \| \| `-su(10048) - \| \| `-bash(10049) \| \| `-pstree(10206) -npa \| `-in.telnetd(10047) \| `-login(10050) \| `-bash(10088) \| `-su(10124) - \| `-bash(10125) \|-sendmail(669) \|-gpm(682) -t ps/2 -m /dev/mouse \|-crond(710) \|-xfs(782) -droppriv -daemon \|-gdm(824) -nodaemon \| \|-X(2325) -auth /var/gdm/:0.Xauth :0 \| `-gdm(2326) -nodaemon \| `-gdmlogin(2334) --disable-sound --disable-crash-dialog \|-mingetty(2367) tty5 \|-mingetty(2369) tty6 \|-simpleproxy(5992) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v \| \|-simpleproxy(6058) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v \| \|-simpleproxy(6060) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v \| \|-simpleproxy(9051) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v \| \|-simpleproxy(9052) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v \| `-simpleproxy(9053) -L 100.1.200.27:25005 -R 192.168.255.1:5005 -d -v \|-mingetty(6527) tty4 \|-mingetty(6537) tty2 \|-mingetty(6539) tty3 `-mingetty(6642) tty1 You have new mail in /var/spool/mail/root [root@tegora /root]# 9. [root@tegora /tmp]# netstat -npa\|more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 100.1.200.27:25005 0.0.0.0:* LISTEN 5992/simpleproxy tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 2325/X tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 631/xinetd tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 631/xinetd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 669/sendmail: accep tcp 0 11 100.1.200.27:23 192.168.12.254:64985 ESTABLISHED 10047/in.telnetd: 6 tcp 0 0 100.1.200.27:25005 192.168.12.172:20600 ESTABLISHED 6060/simpleproxy tcp 0 0 100.1.200.27:23 192.168.12.254:64970 ESTABLISHED 10009/in.telnetd: 6 tcp 0 0 100.1.200.27:25005 192.168.187.183:800 ESTABLISHED 9052/simpleproxy tcp 0 0 100.1.200.27:4917 192.168.255.1:5005 ESTABLISHED 9053/simpleproxy tcp 0 0 100.1.200.27:4916 192.168.255.1:5005 ESTABLISHED 9052/simpleproxy tcp 0 0 100.1.200.27:4915 192.168.255.1:5005 ESTABLISHED 9051/simpleproxy tcp 0 0 100.1.200.27:25005 192.168.12.172:20800 ESTABLISHED 6058/simpleproxy tcp 0 0 100.1.200.27:4781 192.168.255.1:5005 ESTABLISHED 6060/simpleproxy tcp 0 0 100.1.200.27:4779 192.168.255.1:5005 ESTABLISHED 6058/simpleproxy tcp 0 0 100.1.200.27:25005 192.168.187.183:700 ESTABLISHED 9051/simpleproxy tcp 0 0 100.1.200.27:25005 192.168.187.183:600 ESTABLISHED 9053/simpleproxy Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name Pat h unix 2 [ ACC ] STREAM LISTENING 999 682/gpm /de v/gpmctl unix 13 [ ] DGRAM 784 502/syslogd /de v/log unix 2 [ ACC ] STREAM LISTENING 1082 782/xfs /tm p/.font-unix/fs7100 unix 2 [ ACC ] STREAM LISTENING 75939 2325/X /tm p/.X11-unix/X0 unix 2 [ ] DGRAM 158817 10050/login -- alok unix 2 [ ] DGRAM 158389 10010/login -- alok unix 2 [ ] DGRAM 94247 5992/simpleproxy unix 3 [ ] STREAM CONNECTED 76251 2325/X /tm p/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 76250 2334/gdmlogin unix 3 [ ] STREAM CONNECTED 76248 2325/X /tm p/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 76247 2334/gdmlogin unix 3 [ ] STREAM CONNECTED 75946 782/xfs /tm p/.font-unix/fs7100 unix 3 [ ] STREAM CONNECTED 75945 2325/X unix 3 [ ] STREAM CONNECTED 75950 2325/X /tm p/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 75941 2326/gdm unix 2 [ ] DGRAM 1156 824/gdm unix 2 [ ] DGRAM 1085 782/xfs unix 2 [ ] DGRAM 1033 710/crond unix 2 [ ] DGRAM 980 669/sendmail: accep unix 2 [ ] DGRAM 909 631/xinetd unix 2 [ ] DGRAM 893 612/automount unix 2 [ ] DGRAM 858 563/apmd unix 2 [ ] DGRAM 796 507/klogd unix 2 [ ] STREAM CONNECTED 508 1/init You have new mail in /var/spool/mail/root [root@tegora /tmp]# 10.[root@tegora /tmp]# tcpdump Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket tcpdump: listening on all devices 15:53:44.051008 eth0 B arp who-has 192.0.0.24 tell 192.0.0.30 15:53:44.051008 lo > gamatelgate.1920 > gamatelgate.domain: 24783+ PTR? 24.0.0.1 92.in-addr.arpa. (41) (DF) 15:53:44.051008 lo < gamatelgate.1920 > gamatelgate.domain: 24783+ PTR? 24.0.0.1 92.in-addr.arpa. (41) (DF) 15:53:44.051008 lo > gamatelgate > gamatelgate: icmp: gamatelgate udp port domain unreachable (DF) [tos 0xc0] 15:53:44.051008 lo < gamatelgate > gamatelgate: icmp: gamatelgate udp port domain unreachable (DF) [tos 0xc0] 15:53:44.051008 eth0 > gamatelgate.1920 > nowaaa.now-india.net.in.domain: 24783+ PTR? 24.0.0.192.in-addr.arpa. (41) (DF) 15:53:44.071008 eth0 < hunt179-186.optonline.net.4156 > gamatelgate.4156: udp 41 (DF) 15:53:44.151008 eth0 B arp who-has 192.0.4.11 tell 192.0.4.2 15:53:44.151008 eth0 < 160.114.34.126.4156 > gamatelgate.4156: udp 41 (DF) 15:53:44.191008 eth0 B 0:10:b5:66:a7:67 > Broadcast sap e0 ui/C 15:53:44.201008 eth0 < 11 packets received by filter 855 packets dropped by kernel 575 packets are not read yet 11.[root@tegora /tmp]# tcpdump port 4156 [root@tegora /root]# tcpdump port 4156 Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket tcpdump: listening on all devices 15:55:01.651008 eth0 < 195.12.164.161.4156 > gamatelgate.4156: udp 41 (DF) 15:55:01.671008 eth0 < brftp.bradv.com.4156 > gamatelgate.4156: udp 60 (DF) 15:55:01.691008 eth0 < 61.125.5.117.4156 > gamatelgate.4156: udp 41 (DF) [tos 0xa 0] 15:55:01.721008 eth0 < mail.stjoes.com.4156 > gamatelgate.4156: udp 41 (DF) 15:55:01.731008 eth0 < 211.75.239.80.4156 > gamatelgate.4156: udp 41 (DF) 15:55:01.741008 eth0 < 200.9.100.59.4156 > gamatelgate.4156: udp 41 (DF) 15:55:01.781008 eth0 < 211.120.58.142.4156 > gamatelgate.4156: udp 41 (DF) 15:55:01.841008 eth0 < 211.177.198.24.4156 > gamatelgate.4156: udp 41 (DF) This traffic will close within the one or two days . Either you can block this port from firewall.

CVE Links
CVE #	Description