[Plug-security] new worm in the wild
David A. Sinck
plug-security@lists.PLUG.phoenix.az.us
Fri, 13 Sep 2002 09:58:16 -0700
bugtraq mention:
http://online.securityfocus.com/archive/1/291748
source:
http://www.aracnet.com/~patman/bugtraq.c
behaviour:
scans for linux/apache, infects and drops files /tmp/.uubugtraq
/tmp/.bugtraq.c /tmp/.bugtraq, goes into scan/infect mode + listen for
commands on udp 2002.
possible trivial innoculation:
touch /tmp/.bugtraq
chown go-rwx /tmp/.bugtraq
iptables -I INPUT -p udp --sport 2002 --dport 2002 -j LOG
iptables -I INPUT -p udp --sport 2002 --dport 2002 -j REJECT
YMMV.
David