GEN:SID | 1:1889 |
Message | MISC slapper worm admin traffic |
Summary | This event is generated when a web server infected by the slapper worm attempts to send traffic via a communication channel.
|
Impact | Remote access and potentially denial of service. A slapper worm infection indicates a successful compromise of the host. A communication channel established between infected hosts can be used as a vehicle for a distributed denial of service attack of a target host or network.
|
Detailed Information | The Apache/mod_ssl worm, also known as slapper, exploits a vulnerability associated with certain versions of OpenSSL. Once a host has been infected by the worm, the worm then attempts to establish a communication channel using UDP port 2002 (both source and destination) to the infecting host. This communication channel is used to create a network for infected hosts to communicate with each other to identify other infected hosts and to deliver attack instructions for other sites.
|
Affected Systems | Linux hosts running Apache with mod_ssl using SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures.
|
Attack Scenarios | The communication channel created by the slapper worm allows infected hosts to receive direction from other infected hosts. This can be used, for instance, to coordinate a DDoS attack.
|
Ease of Attack | Simple. Exploit code exists.
|
Corrective Action | Apply the appropriate patch or upgrade to the most current version of OpenSSL.
|
Additional References | CERT http://www.cert.org/advisories/CA-2002-27.html
|
Rule References | url: isc.incidents.org/analysis.html?id=167
url: www.cert.org/advisories/CA-2002-27.html
|