GEN:SID 1:1889
Message MISC slapper worm admin traffic
Summary This event is generated when a web server infected by the slapper worm attempts to send traffic via a communication channel.
Impact Remote access and potentially denial of service.  A slapper worm infection indicates a successful compromise of the host.  A communication channel established between infected hosts can be used as a vehicle for a distributed denial of service attack of a target host or network.
Detailed Information The Apache/mod_ssl worm, also known as slapper, exploits a vulnerability associated with certain versions of OpenSSL.  Once a host has been infected by the worm, the worm then attempts to establish a communication channel using UDP port 2002 (both source and destination) to the infecting host.  This communication channel is used to create a network for infected hosts to communicate with each other to identify other infected hosts and to deliver attack instructions for other sites.
Affected Systems Linux hosts running Apache with mod_ssl using SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures.
Attack Scenarios The communication channel created by the slapper worm allows infected hosts to receive direction from other infected hosts.  This can be used, for instance, to coordinate a DDoS attack.
Ease of Attack Simple.  Exploit code exists.
Corrective Action Apply the appropriate patch or upgrade to the most current version of OpenSSL.
Additional References CERT
http://www.cert.org/advisories/CA-2002-27.html
Rule References url: isc.incidents.org/analysis.html?id=167
url: www.cert.org/advisories/CA-2002-27.html