Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 WORM:SLAPPER:C-INFECT

Severity

 Critical

Recommended

 No

Recommended Action

 Drop

Category

 WORM

Keywords

 Apache Slapper (C) Worm Infection

Release Date

 2003/04/22

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

WORM: Apache Slapper (C) Worm Infection


This signature detects interactive traffic created by the Slapper worm. Apache systems with mod_ssl running on Linux are vulnerable. The Slapper worm uses an invalid HTTP GET request on TCP/80 to scan for vulnerable systems; when found, the worm uses TCP/443 to connect to the SSL service and exploit the system. The worm also copies its source code to the system, which the attacking system compiles and runs; infected systems scan for hosts to continue worm propagation. Finally, the infected system opens a backdoor on UDP/1978 and sends packets to the attacker.

Extended Description

A buffer-overflow vulnerability has been reported in some versions of OpenSSL. The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition. ***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available.

Affected Products

  • Apache Software Foundation Apache 1.0.0
  • Apache Software Foundation Apache 1.0.2
  • Apache Software Foundation Apache 1.0.3
  • Apache Software Foundation Apache 1.0.5
  • Apache Software Foundation Apache 1.1.0
  • Apache Software Foundation Apache 1.1.1
  • Apache Software Foundation Apache 1.2.0
  • Apache Software Foundation Apache 1.2.5
  • Apache Software Foundation Apache 1.3.0
  • Apache Software Foundation Apache 1.3.1
  • Apache Software Foundation Apache 1.3.11
  • Apache Software Foundation Apache 1.3.12
  • Apache Software Foundation Apache 1.3.13
  • Apache Software Foundation Apache 1.3.14
  • Apache Software Foundation Apache 1.3.14 Mac
  • Apache Software Foundation Apache 1.3.15
  • Apache Software Foundation Apache 1.3.16
  • Apache Software Foundation Apache 1.3.17
  • Apache Software Foundation Apache 1.3.18
  • Apache Software Foundation Apache 1.3.19
  • Apache Software Foundation Apache 1.3.20
  • Apache Software Foundation Apache 1.3.22
  • Apache Software Foundation Apache 1.3.23
  • Apache Software Foundation Apache 1.3.24
  • Apache Software Foundation Apache 1.3.25
  • Apache Software Foundation Apache 1.3.26
  • Apache Software Foundation Apache 1.3.3
  • Apache Software Foundation Apache 1.3.4
  • Apache Software Foundation Apache 1.3.6
  • Apache Software Foundation Apache 1.3.7 -Dev
  • Apache Software Foundation Apache 1.3.9
  • Apache Software Foundation Apache 2.0.0
  • Apache Software Foundation Apache 2.0.28
  • Apache Software Foundation Apache 2.0.28 Beta
  • Apache Software Foundation Apache 2.0.28 -BETA
  • Apache Software Foundation Apache 2.0.32
  • Apache Software Foundation Apache 2.0.32 -BETA
  • Apache Software Foundation Apache 2.0.34 -BETA
  • Apache Software Foundation Apache 2.0.35
  • Apache Software Foundation Apache 2.0.36
  • Apache Software Foundation Apache 2.0.37
  • Apache Software Foundation Apache 2.0.38
  • Apache Software Foundation Apache 2.0.39
  • Apache Software Foundation Apache 2.0.40
  • Apple Mac OS X 10.0.0
  • Apple Mac OS X 10.0.1
  • Apple Mac OS X 10.0.2
  • Apple Mac OS X 10.0.3
  • Apple Mac OS X 10.0.4
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.1
  • Apple Mac OS X 10.1.2
  • Apple Mac OS X 10.1.3
  • Apple Mac OS X 10.1.4
  • Apple Mac OS X 10.1.5
  • Apple Mac OS X 10.2.0
  • Apple Mac OS X Server 10.0.0
  • Cisco Secure Content Accelerator 10000
  • Covalent Enterprise Ready Server 2.1.0
  • Covalent Enterprise Ready Server 2.2.0
  • Covalent Fast Start Server 3.1.0
  • Gentoo Linux 0.5.0
  • Gentoo Linux 0.7.0
  • Gentoo Linux 1.1.0 A
  • Gentoo Linux 1.2.0
  • Gentoo Linux 1.4.0 _rc1
  • Gentoo Linux 1.4.0 _rc2
  • Gentoo Linux 1.4.0 _rc3
  • HP INTERNET EXPRESS EAK 2.0.0
  • HP OpenSSL for OpenVMS Alpha 1.0.0
  • HP OpenVMS Secure Web Server 1.1.0 -1
  • HP OpenVMS Secure Web Server 1.2.0
  • HP Secure OS software for Linux 1.0.0
  • HP TCP/IP Services for OpenVMS 5.3.0
  • HP Tru64 UNIX Compaq Secure Web Server 5.8.1
  • HP Tru64 UNIX INTERNET EXPRESS 5.9.0
  • HP VirtualVault 4.5.0
  • HP VirtualVault 4.6.0
  • HP Webproxy 1.0.0
  • HP Webproxy 2.0.0
  • IBM HTTP Server 1.3.19
  • IBM Linux Affinity Toolkit
  • Juniper Networks JUNOS 5.0.0
  • Juniper Networks JUNOS 5.1.0
  • Juniper Networks JUNOS 5.2.0
  • Juniper Networks JUNOS 5.3.0
  • Juniper Networks JUNOS 5.4.0
  • Juniper Networks JUNOS 5.5.0
  • Juniper Networks JUNOS 5.6.0
  • Juniper Networks SDX-300 3.1.0
  • Juniper Networks SDX-300 3.1.1
  • Novell NetMail 3.10.0
  • Novell NetMail 3.10.0 a
  • Novell NetMail 3.10.0 b
  • Novell NetMail 3.10.0 c
  • Novell NetMail 3.10.0 d
  • OpenSSL Project OpenSSL 0.9.1 C
  • OpenSSL Project OpenSSL 0.9.2 B
  • OpenSSL Project OpenSSL 0.9.3
  • OpenSSL Project OpenSSL 0.9.4
  • OpenSSL Project OpenSSL 0.9.5
  • OpenSSL Project OpenSSL 0.9.5 A
  • OpenSSL Project OpenSSL 0.9.6
  • OpenSSL Project OpenSSL 0.9.6 A
  • OpenSSL Project OpenSSL 0.9.6 B
  • OpenSSL Project OpenSSL 0.9.6 C
  • OpenSSL Project OpenSSL 0.9.6 D
  • OpenSSL Project OpenSSL 0.9.7 Beta1
  • OpenSSL Project OpenSSL 0.9.7 Beta2
  • Oracle CorporateTime Outlook Connector 3.1.0
  • Oracle CorporateTime Outlook Connector 3.1.1
  • Oracle CorporateTime Outlook Connector 3.1.2
  • Oracle CorporateTime Outlook Connector 3.3.0
  • Oracle Oracle9i Application Server 1.0.2
  • Oracle Oracle9i Application Server 1.0.2 .1s
  • Oracle Oracle9i Application Server 1.0.2 .2
  • Oracle Oracle9i Application Server
  • Oracle Oracle HTTP Server 9.0.1
  • Oracle Oracle HTTP Server 9.2.0 .0
  • RSA Security BSAFE SSL-C 2.1.0
  • RSA Security BSAFE SSL-C 2.2.0
  • RSA Security BSAFE SSL-C 2.3.0
  • Secure Computing SafeWord PremierAccess 3.1.0
  • SonicWALL SSL-R 4.0.0 .18
  • SonicWALL SSL-R3 4.0.0 .18
  • SonicWALL SSL-R6 4.0.0 .18
  • SonicWALL SSL-RX 4.0.0 .18

References

  • BugTraq: 5363
  • CVE: CVE-2002-0656
  • URL: http://www.cert.org/advisories/CA-2002-27.html
  • URL: http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html
  • URL: http://vil.nai.com/vil/content/v_99693.htm

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out