one of my co-lo'ed machines in texas was just infected by the variant 
Slapper.c, which compiled a binary called .unlock and was residing in /tmp 
and from my understanding is the only location the worm can write to because 
it has world writable permissions. i am not familiar with that file name 
upgrade-modssl, were you able to view the contents of the file? the .unlock 
file small, and the worm isnt particularly maliscous to the file system. its 
main objective is to create a peer-to-peer network of up to 16 million 
machines and then forms an attack on its victim. the variant that i was 
infected with uses port 4156 instead of port 2002. issue a netstat 
--numeric-port and make sure nothing is running on this port also check out 
this link, hope this helps some. i suffered an anxiety attack after i 
discovered what was going on!

http://www.f-secure.com/v-descs/slapper.shtml

slr

On Friday 27 September 2002 12:52 pm, Phil Mattison wrote:
> I got an email from some outfit in Europe today claiming that my web server
> was sending their server UDP packets in a denial-of-service attack cause by
> the Slapper Worm. I was unable to find any of the indications as mentioned
> in the documentation on this virus that my system was infected. I did,
> however, find that someone had created a huge file named upgrade-modssl (or
> some such thing) that ate up all my free space. The owner:group of the file
> indicated it was created through the Apache server somehow. Has anyone seen
> something like this before, or know how a hacker might constipate your file
> system like that?