All about the system administration and application development behind a local linux-based company
There’s a linux worm currently spreading rapidly that exploits web servers. Finjan estimates that about 10,000 servers are affected. Nobody has confirmed how it’s getting root access, but once it is in, it installs a dynamic apache module that randomly sends java script code to clients. The javascript code exploits vulnerabilities in Quicktime, Yahoo Messenger, and others. It attempts to install Rbot, a malware suite on computers that access the sites, using a host of exploits including ones found in Quicktime, Yahoo Messenger, and Windows Media player.
An immediate way to test if you’re affected is to see if you can create an entirely numeric directory, and if you run into a file not found error, or the directory isn’t actually created, it means that you’re infected. This is a bug in the rootkit, and there are some reports coming in that it’s already been fixed by the attackers. A more robust way to check for the exploit is to run the following command:
tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
and if you see some lines printed, it means that your server is sending infected javascript files. If your web server is particularly low traffic, you may want to run:
ab -c 10 -n 100 http://www.yourdomain.com/somefile.html
This will generate some traffic on your web server, so that there are some requests for tcpdump to pick up on.
I’ll post more if I hear any news about the nature of the underlying vulnerability. In the meantime here’s some further reading:
Leave a Reply