RE: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We (We being the IT Staff at WTAMU) had were infected with slapper on
a vulnerable box and we took proper steps in cleaning the infected
system and updating the RPM's provided by Red Hat and we got infected
again with slapper. Again we took proper steps in cleaning the
infected system, but this time we recompiled apache from source and
since then we haven't had any other problems with slapper.  That's
why I say that Red Hat hasn't patched their packages correctly.

James Williams
Network Systems Technician
West Texas A&M University
http://www.wtamu.edu
Phone: (806) 651-2162
Email: jwilliams@xxxxxxxxxxxxxx



- -----Original Message-----
From: Jason Giglio [mailto:jgiglio@xxxxxxxxxx]
Sent: Wednesday, October 23, 2002 12:45 AM
To: jwilliams@xxxxxxxxxxxxxx
Cc: incidents@xxxxxxxxxxxxxxxxx; ran_mobby@xxxxxxxxxxxxxx
Subject: Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[


On Tue, 22 Oct 2002 10:51:08 -0500
"James Williams" <jwilliams@xxxxxxxxxxxxxx> wrote:

> Your server is infected with the Slapper Worm. What you need to do
> is contact your ISP and ask them to block udp/1812 at the router
> coming into their network and you need to recompile apache from
> source with the latest packages since red hat or what ever
> distribution you are using isn't patching their compilations of
> their packages correctly.

Just a note, Red Hat released the errata for this days after
discovery. 
They didn't update their version reported by running the binary with
the
version command, (but they did increment the patchlevel number of the
RPM)
and since they backport patches for security, some people
misunderstood
this to mean they never fixed it, but rest assured it is patched, and
has
been patched, in any updated Red Hat system.  

Recompiling the newest feature release from source for each security
patch
is not particularly good advice IMHO.  Red Hat and other distros do
the
work to release patched binaries of existing versions to prevent
disuption
of your production servers, if you are compiling from source, you are
just
creating extra work for yourself and risking instability in
production
environments.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPbfwdnoKK6IDbxYZEQLnrACfahdr+mEEN/XrcrjWJoEXZsqjes4AnRQg
VPDsHRLsjqeWfx/J30ikjhSc
=CSdU
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com