Google Answers Logo
View Question
 
Q: Does Scalper Worm affect only FREEBSD 4.5 or also any other version of freebsd? ( No Answer,   0 Comments )
Question  
Subject: Does Scalper Worm affect only FREEBSD 4.5 or also any other version of freebsd?
Category: Computers > Security
Asked by: chinmayshah-ga
List Price: $10.00		 Posted: 14 May 2006 10:20 PDT
Expires: 15 May 2006 01:03 PDT
Question ID: 728721 
I am trying to run a Scalper Worm for one of my experiments (in
college with my professor)

Operating System : FreeBSD 4.10
Apache: 1.3.20

I am running this experiment on a Testbed (with internet disconnected).

Now this is what happens, i run the worm as ./a 192.168.xx.xx
(machines own ip address) from within the /tmp directory
The worm starts listening on Udp Port 2001, it also starts scanning
the the tcp ports (as it has received the 2 udp messages)
Now on the machine which is being attacked, in the apache error_log
file: i see the http / GET request, i also see the error message which
u had mentioned, and it also shows segmentation fault. BUT

The worm does not transfer itself to the attacked machine, i mean
there is no worm in the /tmp folder on the machine which is being
attacked. Why is this happening, can you suggest something to me. I
have only 2 days to compelete the project.
Request for Question Clarification by maniac-ga on 14 May 2006 14:50 PDT 
Hello Chinmayshah,

Its hard to say why the worm does not spread from the information
provided. Also, did you check for files named ".a" or ".uua" as
described at
  http://www.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html
Are both of these missing from the target system?

After reading through the release notes (between 4.5 and 4.10) there
wasn't a specific fix in FreeBSD that should affect the Scalper worm,
but depending on how the worm spreads, there were a number of security
fixes that may affect it including:
 o changes to standard I/O handling
 o a number of buffer overflow fixes
 o fixes to system calls (returning system memory)
 o manipulation of FFS file systems
If any of these prevent the spread, it would be necessary to use an
older version of FreeBSD to do the testing (4.5 as you suggested in
the subject).

According to some of the email traffic at the time this worm was found
/ fixed, there was also a suggestion to
 o make /tmp be noexec
which would prevent the operation of this worm. I suggest you check
the permissions of /tmp as seen by the apache application to see if
that is preventing the spread.

Alternatively, if apache is running in a "jail" - you may be looking
in the wrong location for the spread of the worm.

If you find one of the items above to prevent the spread of the worm,
please make a clarification. If not, please indicate more fully the
symptoms when the worm attempts to spread.
Thanks.
  --Maniac
Answer  
There is no answer at this time.

Comments  
There are no comments at this time.
Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy