By Bri Hatch.
Summary: Proactive security would have blocked the Linux Slapper worm and could help stop future worms in their tracks.
Windows users are accustomed to worms, viruses, and Trojans. It's much more rare for Unix-like operating systems to become targets. Perhaps it's because we're more likely to secure our systems; perhaps it's because Open Source software 'is not designed to enable virus replication' ; or maybe it's because there are so many Windows machines out there, it's a much more appealing target.
When a worm that attacks Unix-like systems comes round though, it's noteworthy. While there was an Apache worm  about two months ago, it didn't seem to catch on at all. Now a new worm -- dubbed linux.slapper.worm -- has started targeting SSL-enabled Apache servers and has had noticeable impact: 30,000 hosts have been compromised as of September 17th. 
By now , news about the worm has been all over the place, so I won't rehash it in detail. Suffice it to say that a buffer overflow in OpenSSL  can be abused on Apache servers that support SSL (Apache + mod_ssl or Apache-SSL) to gain access as the apache user. Patches (OpenSSL 0.9.6e and later) have been out for a while. The bug is in the SSL negotiation, which happens before the actual HTTP data (GET/POST/etc) is sent, which means you won't have any indication in your logs that the attack is occurring.
If the buffer overflow succeeds, the worm uploads a file '/tmp/.bugtraq.c', compiles it, and runs the resulting executable /tmp/.bugtraq. This program starts listening for connections on UDP port 2002, joining a Peer-To-Peer network of cracked machines. This P2P network can be used to create Distributed Denial of Service attacks (IPv4 and IPv6 TCP floods, DNS floods and more) and allow the cracker to run any arbitrary commands on your machine. (A useful example would be to upgrade the P2P code to include new functionality.) Though he does not get root access directly, it's possible to get in and poke around more to see if he can elevate his privileges.
Whew. Now that we've gotten the background out of the way, here's the worst thing about the situation: it's completely preventable. If you follow paranoid procedures when setting up your machine, you would have stopped this worm at several points and either avoid becoming infected at all, or at least keep yourself from becoming part of the P2P network. Let's take a look at generic security practices that could keep this worm in check:
So if you took these steps, which are not specific to this worm, you would have been protected from this worm at multiple stages. Proactive security would have saved the day.
 The original quote, "Other e-mail programs are not designed
to enable virus replication" was listed in the Melissa
Virus warning from Microsoft, as if Outlook had this enviable
feature and no one else did. This section was later silently
removed from the Web page.
Bri Hatch is Chief Hacker at Onsight, Inc., and author of Hacking Linux Exposed and Building Linux VPNs. He believes there's only one piece of software that he considers essential for every machine, and that's vi. Everything else is negotiable. Bri can be reached at firstname.lastname@example.org.
Copyright Bri Hatch, 2002.
This article was first published here in ITworld.com Inc., 118 Turnpike Rd., Southborough, MA 01772 on 24-Sep-2002.