Network Computingwww.networkcomputing.com

A worm called Linux.Slapper.Worm is wiggling its way into Linux boxes running Apache Web Servers with OpenSSL 0.9.6e and 0.9.7-beta2. Multiple vulnerabilities have been reported with these versions of OpenSSL (CERT's advisory is at www.cert.org/).

The worm was identified on Sept. 13 but apparently had been crawling across the Web a few days prior. According to an advisory published by vendor Internet Security Systems, the worm scans for vulnerable Apache servers by looking at the server name returned from an HTTP connection. It then attempts to exploit the vulnerability in SSL. If the attack is successful, the worm uploads a C source file to /tmp/.bugtraq.c, /tmp./uubugtraq.c (a uuencoded version of the source), and /tmp/.bugtraq (the executable) compiles it and then launches it to listen on UDP Port 2002.

Here's what you should do. First, update Apache and OpenSSL from your vendor. If you don't need SSL, edit the httpd.conf file and remove the directive "Listen 443." Check that none of your Virtual Hosts directives enable it and make sure that the HAVE_SSL directive is not being passed to httpd via the -D flag. Start and stop your httpd daemon. Then, just for the sake of sanity, scan the files in /tmp, looking for a process called bugtraq on your system and kill it if necessary.

According to the advisories, this worm doesn't do much more than start a listener, but you should plan to back up your data and reinstall the OS from scratch.

If you're running a production Web server, harden the server by shutting down any unnecessary services in inetd.conf, /etc/xinet.d and any start-up scripts. Make sure your servers are running a configuration that makes sense for your needs (read: know what your defaults are doing), remove any programs from the system that are not needed by the server such as compilers, editors, debuggers, X-Windows, etc. Use only SSH for remote connections.

--Mike Fratto