WORM: Apache Slapper (C2) Worm Infection
This signature detects interactive traffic created by the Slapper worm. Apache systems with mod_ssl running on Linux are vulnerable. The Slapper worm uses an invalid HTTP GET request on TCP/80 to scan for vulnerable systems; when found, the worm uses TCP/443 to connect to the SSL service and exploit the system. The worm also copies its source code to the system, which the attacking system compiles and runs; infected systems scan for hosts to continue worm propagation. Finally, the infected system opens a backdoor on UDP/1812 and sends packets to the attacker.
Extended Description
OpenSSL is prone to a buffer-overflow vulnerability involving overly long SSLv3 session IDs. Reportedly, when an oversized SSLv3 session ID is supplied to a client from a malicious server, a buffer may overflow on the remote system. Key memory areas on the vulnerable remote system may be overwritten, and arbitrary code may run as the client process.
Affected Products
Hp jetdirect,Hp tcp/ip_services_for_openvms,Openssl_project openssl
Short Name
WORM:SLAPPER:C2-INFEC
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
WORM
Keywords
(C2) Apache CVE-2002-0656 Infection Slapper Worm bid:5362
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3339
Port
UDP/1812
False Positive
Unknown
Vendors
Secure_computing
Apple
Gentoo
Juniper_networks
Hp
Ibm
Rsa_security
Novell
Sun
Oracle
Covalent
Alcatel-lucent
Openssl_project
CVSS Score
7.5