Slapper worm spanks Apache servers

The Register (UK) ^ | September 16, 2002 | John Leyden

[general_re]

Allow me to seize the moral high ground by not bashing Apache/Linux indiscriminately - instead, I will simply point out that there is no such thing as a fire-and-forget server solution, and that keeping up-to-date with patches and fixes is critical regardless of your choice of platform...

[Sweet_Sunflower29]

[ShadowAce]

The vulnerability exploited by the Slapper (Apache/mod_ssl) worm was fixed beginning with OpenSSL version 0.9.6e.

Apache/Linux is not the problem here. The problem (again) is lack of effort on the part of sysadmins. This is usually true regardless of the OS you are running.

[Liberal Classic]

Is this related to the recent SSL vunderability in IE and Opera? This sounds like a problem with the way the secure socket layer is being implemented in various platforms, less so an OS bug.

[general_re]

I agree - once a patch is created, it is incumbent upon admins to insure that it is applied where needed, regardless of what OS or application you are running.

However, I'll let someone else descend into the muck about assigning blame for the fact that the hole exists in the first place ;)

[Doug Loss]

The real message here isn't that exploits are possible, it's that they're patched very quickly. In the case of this exploit, both Debian and RedHat Linux had patches available before it was the exploit was knownabout by the general computing public:

http://rhn.redhat.com/errata/RHSA-2002-155.html
http://www.debian.org/security/2002/dsa-136

[general_re]

The fastest patches in the world aren't worth much if nobody bothers to apply them ;)

[Doug Loss]

Luckily, both Debian and RedHat have automatic update services that any sysadmin with an IQ above room temperature runs at least once a day. Our RedHat boxes have been secure against this exploit for the last month and a half.

[KayEyeDoubleDee]

If successful, a copy of the malicious source code is then placed on the victim server, where the attacking system tries to compile and run it.

Anyone want to explain this one to me? Does this mean the attacking system has to use a shell via access like telnet, rsh, etc?

[general_re]

You're preaching to the choir there. Unfortunately, I can think of several thousand sysadmins who flunk that qualification - the number of machines infected is over 11,000 as of this morning ;)

[Doug Loss]

Vide my caveat about IQ and room temperature...

[Liberal Classic]

Anyone want to explain this one to me? Does this mean the attacking system has to use a shell via access like telnet, rsh, etc?

No, worms are by definition automated programs that spread themselves without someone directing it. Telnet and rsh are almost universally denied these days for most places, so I doubt this is how it spreads.

The article is a bit unclear. I guess that the author probably doesn't understand what is going on. How often does the press get details right on firearms? This reads like semi-automatic revolver.

I have not seen a write-up of this particular worm, but when the article says "the attacking system tries to compile and run it" they really mean that the malicious code is already running on the system, but it is not the "full" worm yet. The infamous Morris Worm in the mid-80s worked the same way. Once the worm code was running on the victim computer, it would actually download the rest of itself, compile it, run it, and delete the evidence.

The reason the worm has to compile itself is because the amount of malicious code you can send with a buffer overflow is not very large. Big enough to run a small script, but for anything sophisticated the worm is broken into parts. The first part is what smashes the stack on the victims CPU and installs itself and then runs. The second part finishes the job by hiding its presence and looking for other vunderable computers.

[Diddle E. Squat]

Clinton visiting Arizona?

[HAL9000]

However, I'll let someone else descend into the muck about assigning blame for the fact that the hole exists in the first place ;)

Okay. This worm appeared on September 13, but the patch has been available since July 30. The vulnerability to this worm was avoidable with a little due diligence by the system administrator.

By comparison, a recent massive security hole in Windows XP that deletes files when the user merely views a web page containing a malicious URL was known to Microsoft for 11 weeks before they released a fix. Not only is Microsoft assigned the blame for the fact that the gaping hole exists in the first place, they also didn't inform customers of the risk or fix it for nearly 3 months. This is SOP for Microsoft customer support, which is why I avoid their low-quality crap products.

[KayEyeDoubleDee]

That makes much more sense.

[Bush2000]

By comparison, a recent massive security hole in Windows XP that deletes files when the user merely views a web page containing a malicious URL was known to Microsoft for 11 weeks before they released a fix.

Tell us, Hall. How many users do you know who were burned by this "massive security hole". I don't know a single one.

[Bush2000]

The real message here isn't that exploits are possible, it's that they're patched very quickly.

Yeah, that's usually the message that gets conveyed when open source advocates get caught with their pants down around their ankles, braying about poor Windows quality...

[HAL9000]

Tell us, Hall. How many users do you know who were burned by this "massive security hole". I don't know a single one.

Have you installed SP1 yet? If not, perhaps you can volunteer for an experiment?

If you've already installed SP1, one of your customers who has not will do.

[parsifal]

"However, I'll let someone else descend into the muck about assigning blame for the fact that the hole exists in the first place ;)"

Alright. The reason we have those holes is that greedy capitalist employers try to hire cheap overseas programming labor thus displacing American workers who can not work for less than it takes to live. :) parsy, who has too busy to freep the last few weeks.


6 posted on 9/16/02 10:45 AM Pacific by general_re
[