i just want warn everyone about this worm, becasue i got it, but dont know how to take it of. but i just found its detail
if anyone know more detail, plz tell me how to take it off from my linux.



09/15/2002)--F-Secure: Linux.Slapper worm found from more than 100 countries.
THIS VIRUS IS RANKED AS LEVEL 1 ALERT UNDER F-SECURE RADAR. This is a high level alert! F-Secure issues Level 1 alerts when the security risk is substantial. This includes viruses, worms, and/or denial of service attacks that have the ability to spread quickly and become widespread with the ability to inflict major damage to systems.

Note: F-Secure is upgrading Linux.Slapper worm to Alert Level 1 as it continues to spread rapidly. Slapper has been sighted on more than 13000 Linux servers, representing more than 100 countries.

Slapper is a network worm that spreads on Linux machines by using a flaw discovered in August 2002 in OpenSSL libraries. The worm was found in Eastern Europe late on Friday September 13th 2002.

The worm typically affects Linux machines that are running Apache web server with OpenSSL enabled. Apache installations cover more than 60% of public web sites in the internet. It can be estimated that less than 10% of these installations have enabled SSL services. By some estimates, there are over one million active OpenSSL installations in the public web. A very big part of these machines have not yet been patched to close this hole, and are thus prone to infection by the Slapper worm.

Once a machine gets infected by Slapper, it joins a massive peer-to-peer denial-of-service network, which can be controlled by the virus author.

The worm works on Intel-based machines running Linux distributions from Red Hat, SuSE, Mandrake, Slackware or Debian. Apache and OpenSSL must be enabled and OpenSSL version must be 0.96d or older.

Slapper is very similar to the Scalper Apache worm, which was found in June 2002. The basic theory of operation is similar to the first widespread web worm, Code Red. Code Red infected more than 350000 websites running Microsoft IIS in July 2001.

The worm is visible in the infected system as a process ".bugtraq". An infected system can be disinfected by terminating the worm's process, and by removing the files created into temporary directory:



/tmp/.uubugtraq
/tmp/.buqtraq.c
/tmp/.bugtraq


The Apache web server must be shut down as well and the OpenSSL libary must be upgraded to a fixed version (0.9.6e or above) in order to avoid reinfection.

Note: Detection for F-Secure Anti-Virus was published on September 14th, 2002:

[FSAV_Database_Version]

Version=2002-09-14_01

For a detailed description of the Linux.Slapper worm:

http://www.fsecure.com/slapper/

remove the /tmp/ files as stated in the mail from fsecure and update your OpenSSL libary... make sure to recompile apache and sshd if you compiled them.

It's wise to upgrade to the latest distro, your problem should be fixed there...

This should fix your problem.

1. take your box off the network
2. curb recurrence by denying access to gcc
find /usr -name gcc\* | xargs chmod 0100
3. find the pids for the process, and kill 'em
kill -s KILL $(netstat -anp | egrep "(cinik|unlock)" | awk '{print $7}' | cut -d "/" -f 1)
4. find the downloaded code and delete it
find /tmp | egrep "(cinik|bugtraq|unlock") | xargs rm -f
5. now verify the integrity of your box (Aide, Samhain, Tripwire)
6. Upgrade the OpenSSL/Apache combo like you should have done in the first place.

*Updating your system to the latest release is not strictly necessary to combat this problem.

Thank you

i got another question
i tried to upgrade apache and ssl.
first i dowbload something from open-ssl website, and install something , when it run and i could not see anything happend, is it like this? , finish upgrade ssl???


and i got problem about upgrade apache , i download apache2
after i ./config, make , make install

it is in new location /usr/local, which is the place where everything for apache file in side,
however i'm using red hat 7.1 , apche is run in /etc/httpd
and module is in usr/lib , so there are some problem about loading module


how can i upgrade from my old apache?

thank you

What do you mean "nothing happened", it installed the /usr/lib/libssl.* libs, right? Btw, you shouldn't tack on questions that are off-topic to your current topic (have+virus), just post a new one, we'll recycle the old electrons, don't worry.
/etc/httpd only contains conf files and certificates, IIRC, and Apache comes with some extensive filesystem layout templates, so just choose the one you like, it's got a std one for RH, and if you don't like it, tweak it before compiling.
Backup anything you want to keep, (remove the old stuff if you're paranoid and do a "make -n install" to see what goes where) and install the new one.