Re: [Alert] Apache modssl Wurm unterwegs

From: Tobias Crefeld (tobias.crefeld@klekih-petra.de)
Date: 09/15/02 

From: Tobias Crefeld <tobias.crefeld@klekih-petra.de>
Date: Sun, 15 Sep 2002 23:45:34 +0200

Hatto von Hatzfeld, hatto@salesianer.de, Samstag, 14. September 2002 17:18:

> Serverbetreiber, die Apache mit modssl (also https) verwenden und für
> ihr SSL in letzter Zeit weder Patch noch Update eingespielt haben,
> sollten sich jetzt dringend darum kümmern.

Ergänzend aus einer Pressemitteilung von F-Secure:
---------schnippel-----------------------------
[..]
The Linux.Slapper worm was first seen on Friday the 13th. Since then it
has infected thousands of web servers around the world and continues to
spread. What sets it apart from other worms is its peer-to-peer
networking capability, which the worm author may utilize to take over
any or all of the infected servers. This was apparently designed to
launch distributed denial-of-service attacks with the worm, but it also
results in a situation where anybody can take over an infected machine
and do practically anything with it.

The Slapper is representative of the new breed of worms and viruses as
it is as much an attack tool as it is a quickly spreading worm.

During the weekend following Friday the 13th, F-Secure engineers have
reverse engineered the peer-to-peer protocol that the worm uses.
F-Secure has now infiltrated the Slapper peer-to-peer attack network,
posing as an infected web server. Through this fake server, the exact
number of infected machines and their network names can be identified.

F-Secure's Global Slapper Information Center provides regularly updated
information on the spread of the virus and numbers of infected servers
categorized by the top-level domain. F-Secure is also sending a warning
to the administrators of infected systems based on their IP addresses. A
free version of F-Secure Anti-Virus for Linux will also be made
available to the administrators of infected systems. The license allows
the product to be used in a limited fashion to remove the worm from the
system.

F-Secure is also contacting the national authorities in order to alert
the administrators of infected systems. It is imperative that the
servers are cleaned and patched to prevent future infections as soon as
possible - both to stop the spreading of the worm and to prevent
unauthorised access to the infected servers.

Global Slapper Information Center can be found from:
http://www.f-secure.com/slapper/

Situation on Sunday 15th of September 2002, at 17:00 GMT

By Sunday evening, the Linux.Slapper worm had been in circulation for
less than 40 hours. In this time, the number of infected servers has
grown from 0 to over 6000. For reference, Code Red - which is known as
the worst web worm so far - managed to infect only a couple of hundred
servers within similar time frame. Code Red went on to infect over
300,000 web servers during its beak in July 2001 and is still alive
today. It is estimated that there are over 1,000,000 active OpenSSL
installations in the public web. A very big part of those machines has
not yet been patched to close this hole, and are thus prone for
infection by the Slapper worm.

The worm infects unprotected Linux machines that are running Apache web
server with OpenSSL enabled. Uniquely, the worm spreads in C source code
format, recompiling itself on every infected machine.
[..]
---------schnippel-----------------------------

Gruß,
 Tobias.

Quantcast