Removing the Slapper Worm from your Linux Workstation

Cleaning up after the Linux Slapper Worm

There are several parts associated with cleaning up after the Linux Slapper worm. They are 1) fixing the vulnerability, 2) cleaning up access on the machine, and 3) not being compromised in the future. This document describes some of the steps necessary to patch the problem and clean up an affected machine. These instructions are mainly for RedHat users, but can be applied to additional distributions.

Fixing the vulnerability

This part involves ensuring that the machine cannot be compromised again through the same vulnerability. The Linux Slapper worm exploits a vulnerability that was discovered about July 29, 2002, and was patched the next day.

Vulnerable machines have outdated versions of OpenSSL or mod_ssl (often used with the Apache web server). Information for RedHat Linux versions, and packages needed can be found at: RedHat Support It's a good idea to keep up with all patches, but the packages involved in this particular vulnerability are the following: openssl, openssl-devel, openssl-perl, openssl-python, openssl095a, and openssl096. Downloading newer versions of these packages and running "rpm -Fvh openssl*.rpm" should upgrade the packages necessary.

Cleaning up a hacked machine

This part involves removing any files, trojans, or DDOS software that may remain on the machine. The Linux Slapper Worm is often used in conjunction with scripts or programs that continue running on the affected machine. These programs scan additional networks for vulnerable machines, perform Distributed Denial of Service attacks on machines or networks, scan the hard drive for email addresses and network identification information, and provide a backdoor trojan into the machine. The cleanup procedure may not catch everything, so many administrators choose to reinstall and patch, rather than attempt to clean the system.

Compromised machines often contain trojaned programs in a number of places, and they are often masqueraded or hidden. All directory listings should be performed with the "-a" option (displaying files beginning with .). The Linux Slapper Worm does not provide root access, so files found will probably belong to apache. An analysis of the original worm: http://isc.incidents.org/analysis.html?id=167, and the commonly found CINIK variant of the worm (apparently written by someone in Romania): http://isc.incidents.org/analysis.html?id=169

Begin by looking in /tmp. There are often a number of files owned by root. Examples include "/tmp/.cinik" and "/tmp/.uubugtraq". These files (and any similar or unknown files) should be removed. The worm also places files in /var/cache/httpd and /var/lib/dav/, so look in these places for strange files.

Some variants of this worm place a crontab entry to restart themselves in case someone attempts to kill the process and clean up the machine. This file is located at /var/spool/cron/apache. Unless you or another administrator has added cron jobs for apache, it is unlikely that this file should exist at all. If that is the case, this file should be removed, and cron should be restarted ("service crond restart" or "/etc/rc.d/init.d/crond restart").

Stop all processes owned by apache. The worm is likely to still be running, attempting to compromise additional hosts, gathering information, or performing a DDOS. For a list of these processes, use "ps -eaf | grep apache", and then "kill -9 [process_list]" to kill the processes.

Not being compromised in the future

All systems should be updated regularly to avoid problems. The Linux Slapper Worm does not do much damage to the compromised machine, but the problems resulting from it can be bad, and many hacks can cause much larger problems. Do not run services that are unnecessary (for example, if you're not actively maintaining an ftp site, DON'T RUN THE FTP SERVER). Keep up to date with patches (programs such as up2date and red-carpet help immensely in this process). If possible, use private IP addresses and place yourself behind a firewall. These steps will eliminate the majority of problems, and protect the machine.