Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 WORM:SLAPPER:C2-INFEC

Severity

 Critical

Recommended

 No

Recommended Action

 Drop

Category

 WORM

Keywords

 Apache Slapper (C2) Worm Infection

Release Date

 2003/04/22

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

WORM: Apache Slapper (C2) Worm Infection


This signature detects interactive traffic created by the Slapper worm. Apache systems with mod_ssl running on Linux are vulnerable. The Slapper worm uses an invalid HTTP GET request on TCP/80 to scan for vulnerable systems; when found, the worm uses TCP/443 to connect to the SSL service and exploit the system. The worm also copies its source code to the system, which the attacking system compiles and runs; infected systems scan for hosts to continue worm propagation. Finally, the infected system opens a backdoor on UDP/1812 and sends packets to the attacker.

Extended Description

OpenSSL is prone to a buffer-overflow vulnerability involving overly long SSLv3 session IDs. Reportedly, when an oversized SSLv3 session ID is supplied to a client from a malicious server, a buffer may overflow on the remote system. Key memory areas on the vulnerable remote system may be overwritten, and arbitrary code may run as the client process.

Affected Products

  • Alcatel-Lucent 7770 RCP
  • Alcatel-Lucent OmniAccess 210
  • Alcatel-Lucent OmniSwitch 6600
  • Alcatel-Lucent OmniSwitch 7700
  • Alcatel-Lucent OmniSwitch 7800
  • Alcatel-Lucent OmniSwitch 8800
  • Apple Mac OS X 10.0.0
  • Apple Mac OS X 10.0.1
  • Apple Mac OS X 10.0.2
  • Apple Mac OS X 10.0.3
  • Apple Mac OS X 10.0.4
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.1
  • Apple Mac OS X 10.1.2
  • Apple Mac OS X 10.1.3
  • Apple Mac OS X 10.1.4
  • Apple Mac OS X 10.1.5
  • Apple Mac OS X 10.2.0
  • Apple Mac OS X Server 10.0.0
  • Covalent Enterprise Ready Server 2.1.0
  • Covalent Enterprise Ready Server 2.2.0
  • Covalent Fast Start Server 3.1.0
  • Gentoo Linux 0.5.0
  • Gentoo Linux 0.7.0
  • Gentoo Linux 1.1.0 A
  • Gentoo Linux 1.2.0
  • Gentoo Linux 1.4.0 _rc1
  • Gentoo Linux 1.4.0 _rc2
  • Gentoo Linux 1.4.0 _rc3
  • HP INTERNET EXPRESS EAK 2.0.0
  • HP JetDirect rev. L.22.00
  • HP JetDirect rev. L.23.99
  • HP JetDirect rev. U.22.00
  • HP JetDirect rev. U.23.99
  • HP OpenSSL for OpenVMS Alpha 1.0.0
  • HP OpenVMS Secure Web Server 1.1.0 -1
  • HP OpenVMS Secure Web Server 1.2.0
  • HP Secure OS software for Linux 1.0.0
  • HP TCP/IP Services for OpenVMS 5.3.0
  • HP Tru64 UNIX Compaq Secure Web Server 5.8.1
  • HP Tru64 UNIX INTERNET EXPRESS 5.9.0
  • HP VirtualVault 4.5.0
  • HP VirtualVault 4.6.0
  • HP Webproxy 1.0.0
  • HP Webproxy 2.0.0
  • IBM Linux Affinity Toolkit
  • Juniper Networks JUNOS 5.0.0
  • Juniper Networks JUNOS 5.1.0
  • Juniper Networks JUNOS 5.2.0
  • Juniper Networks JUNOS 5.3.0
  • Juniper Networks JUNOS 5.4.0
  • Juniper Networks JUNOS 5.5.0
  • Juniper Networks JUNOS 5.6.0
  • Juniper Networks M-series Router M10
  • Juniper Networks M-series Router M160
  • Juniper Networks M-series Router M20
  • Juniper Networks M-series Router M40
  • Juniper Networks M-series Router M40e
  • Juniper Networks M-series Router M5
  • Juniper Networks SDX-300 3.1.0
  • Juniper Networks SDX-300 3.1.1
  • Juniper Networks T-series Router T320
  • Juniper Networks T-series Router T640
  • Novell NetMail 3.10.0
  • Novell NetMail 3.10.0 a
  • Novell NetMail 3.10.0 b
  • Novell NetMail 3.10.0 c
  • Novell NetMail 3.10.0 d
  • OpenSSL Project OpenSSL 0.9.1 C
  • OpenSSL Project OpenSSL 0.9.2 B
  • OpenSSL Project OpenSSL 0.9.3
  • OpenSSL Project OpenSSL 0.9.4
  • OpenSSL Project OpenSSL 0.9.5
  • OpenSSL Project OpenSSL 0.9.5 A
  • OpenSSL Project OpenSSL 0.9.6
  • OpenSSL Project OpenSSL 0.9.6 A
  • OpenSSL Project OpenSSL 0.9.6 B
  • OpenSSL Project OpenSSL 0.9.6 C
  • OpenSSL Project OpenSSL 0.9.6 D
  • OpenSSL Project OpenSSL 0.9.7 Beta1
  • OpenSSL Project OpenSSL 0.9.7 Beta2
  • Oracle CorporateTime Outlook Connector 3.1.0
  • Oracle CorporateTime Outlook Connector 3.1.1
  • Oracle CorporateTime Outlook Connector 3.1.2
  • Oracle CorporateTime Outlook Connector 3.3.0
  • Oracle Oracle9i Application Server 1.0.2
  • Oracle Oracle9i Application Server 1.0.2 .1s
  • Oracle Oracle9i Application Server 1.0.2 .2
  • Oracle Oracle9i Application Server
  • Oracle Oracle HTTP Server 9.0.1
  • Oracle Oracle HTTP Server 9.2.0 .0
  • RSA Security BSAFE SSL-C 2.1.0
  • RSA Security BSAFE SSL-C 2.2.0
  • RSA Security BSAFE SSL-C 2.3.0
  • Secure Computing SafeWord PremierAccess 3.1.0
  • Sun Crypto Accelerator 1000

References

  • BugTraq: 5362
  • CVE: CVE-2002-0656
  • URL: http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html
  • URL: http://vil.nai.com/vil/content/v_99693.htm
  • URL: http://www.f-secure.com/v-descs/slapper.shtml

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out