[BUG/VIRUS ALERT] Linux/Slapper, new worm for Apache Web servers on Linux
Madrid, September 17, 2002 -- Today's Oxygen3 24h-365d report will look at a
recently discovered malicious code called "Linux/Slapper". This is a
potentially dangerous worm for Apache Web servers installed on Linux
Linux/Slapper spreads by exploiting a known buffer overflow vulnerability in
the OpenSSL component of Apache Web servers installed on the following Linux
distributions: Mandrake, SuSe, Slackware, RedHat and Debian.
This new worm searches for vulnerable computers over the Internet. Once
Linux/Slapper has infected a computer, it opens a backdoor in it through
port UDP 2002, which could lead to DoS (Denial of Service) attacks. The worm
then looks for new computers to infect, connecting to them through the httpd
server (port 80) and searching for Apache servers. On finding one, the worm
connects to port 443 (SSL) of the computer, in order to send itself to it.
Linux/Slapper creates two files -"BUGTRAQ.C" and "UUBUGTRAQ"- in the "\tmp:"
directory in the infected computer. The first file, which contains the
worm's infection code, is sent to remote systems and compiled locally using
gcc, creating the executable file "BUGTRAQ".
More details about the OpenSSL vulnerability in Apache Web servers and the
corresponding fix are available in the security advisory published by the
Computer Emergency Response Team Coordination Center (CERT/CC) at: