Security Incidents mailing list archives

RE: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[

From: "James Williams" <jwilliams () mail wtamu edu>
Date: Thu, 24 Oct 2002 08:07:02 -0500

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We (We being the IT Staff at WTAMU) had were infected with slapper on
a vulnerable box and we took proper steps in cleaning the infected
system and updating the RPM's provided by Red Hat and we got infected
again with slapper. Again we took proper steps in cleaning the
infected system, but this time we recompiled apache from source and
since then we haven't had any other problems with slapper.  That's
why I say that Red Hat hasn't patched their packages correctly.

James Williams
Network Systems Technician
West Texas A&M University
http://www.wtamu.edu
Phone: (806) 651-2162
Email: jwilliams () mail wtamu edu



- -----Original Message-----
From: Jason Giglio [mailto:jgiglio () Netmar com]
Sent: Wednesday, October 23, 2002 12:45 AM
To: jwilliams () mail wtamu edu
Cc: incidents () securityfocus com; ran_mobby () rediffmail com
Subject: Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[


On Tue, 22 Oct 2002 10:51:08 -0500
"James Williams" <jwilliams () mail wtamu edu> wrote:

Your server is infected with the Slapper Worm. What you need to do
is contact your ISP and ask them to block udp/1812 at the router
coming into their network and you need to recompile apache from
source with the latest packages since red hat or what ever
distribution you are using isn't patching their compilations of
their packages correctly.


Just a note, Red Hat released the errata for this days after
discovery. 
They didn't update their version reported by running the binary with
the
version command, (but they did increment the patchlevel number of the
RPM)
and since they backport patches for security, some people
misunderstood
this to mean they never fixed it, but rest assured it is patched, and
has
been patched, in any updated Red Hat system.  

Recompiling the newest feature release from source for each security
patch
is not particularly good advice IMHO.  Red Hat and other distros do
the
work to release patched binaries of existing versions to prevent
disuption
of your production servers, if you are compiling from source, you are
just
creating extra work for yourself and risking instability in
production
environments.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPbfwdnoKK6IDbxYZEQLnrACfahdr+mEEN/XrcrjWJoEXZsqjes4AnRQg
VPDsHRLsjqeWfx/J30ikjhSc
=CSdU
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ Melt Man (Oct 18)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Sneeringer (Oct 20)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ Ryan Yagatich (Oct 20)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Williams (Oct 22)
- <Possible follow-ups>
- RE: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Williams (Oct 24)