[ale] Slapper

Michael H. Warfield mhw at wittsend.com
Fri Oct 25 16:58:54 EDT 2002


On Fri, Oct 25, 2002 at 03:15:47PM -0400, cfowler wrote:
> I have a 7.2 box that has been hit.  How do I remove the worm?  I am
> upgrading my packages now

	Depends upon which version...

	None survive a reboot, so that's a start.

	Then remove everything from /tmp that's owned by your apache
web server id.

	The original slapper had files that began ".bugtraq".  That one,
you are pretty much done at that point.

	Another version had files ".cinik.*".  Same basic procedure but
you might want to do a general find for any files anywhere on your
system beining with .cinik and owned by the apache user.  Get rid of
all of them.

	Yet a third variation went under the name .unlock.c.  Same
procedure, just a different name.

	A version was reported named .ink or .inc or something similar.
I haven't captured a sample of that one yet.  Anyone with a copy, please
contact me.  :-)

	Other versions are rumored but no confirmed sightings.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list