# Apache ssl worm

## J4Y

Someone pointed this out on my local LUG mailing list. A worm which exploits any ssl enabled Apache webserver. Apparently all versions of Apache on Gentoo are vulnerable.

http://www.sophos.com/virusinfo/analyses/linuxslappera.html

I have emerged the latest apache(apache 1.3.26-r3) and mod_ssl(mod_ssl 2.8.10), am I still vulnerable  :Question: 

----------

## pilla

I thought the problem was with openssl < 0.9.6g (which is already in portage)

emerge it!!

 *J4Y wrote:*   

> Someone pointed this out on my local LUG mailing list. A worm which exploits any ssl enabled Apache webserver. Apparently all versions of Apache on Gentoo are vulnerable.
> 
> http://www.sophos.com/virusinfo/analyses/linuxslappera.html
> 
> I have emerged the latest apache(apache 1.3.26-r3) and mod_ssl(mod_ssl 2.8.10), am I still vulnerable 

 

----------

## msb21

If you are running a version of openssl greater than .0.9.6d, according to the security release, you should be fine. I am running .0.9.6e. How do you upgrade packages? openssl-0.9.6g is available and when I ran emerge upgrade world and system it did not upgrade this package.

Thanks,

matt

----------

## pilla

try

```

emerge rsync

emerge openssl

emerge clean

```

 *msb21 wrote:*   

> If you are running a version of openssl greater than .0.9.6d, according to the security release, you should be fine. I am running .0.9.6e. How do you upgrade packages? openssl-0.9.6g is available and when I ran emerge upgrade world and system it did not upgrade this package.
> 
> Thanks,
> 
> matt

 

----------

## rac

Make sure if you are using mod_ssl to remerge it after you have upgraded openssl.

----------

## Messiah

May I ask why one has to remerge mod_ssl after remerging openssl? Does the same apply to other 'dependencies'? For instance, does one have to remerge mod_ssl (or mod_php) after remerging apache?

----------

## rac

 *Messiah wrote:*   

> May I ask why one has to remerge mod_ssl after remerging openssl?

 

It's a good question.  Since mod_ssl.so is dynamically linked against openssl, you would think that it would magically pick up the new version, but it didn't for me.  I checked Apache's error.log file and it would still say the old version of OpenSSL until I remerged mod_ssl.

 *Quote:*   

> Does the same apply to other 'dependencies'? For instance, does one have to remerge mod_ssl (or mod_php) after remerging apache?

 

It depends on the exact software in question.  In your example, if you upgraded Apache from 1.3 to 2.0, I would expect Apache might have a completely different calling syntax and remerging mod_ssl and mod_php would be needed.  If it's only a minor version bump, there should be no need to remerge mod_ssl and mod_php just because apache has been upgraded.

----------

## count

How do you know if you've been infected??

----------

## rac

 *count wrote:*   

> How do you know if you've been infected??

 

Did you follow the link in the first post of the thread?  Look for processes and files in /tmp/ named .bugtraq.

----------

## nemo_

Someone posted this on bugtraq few days ago, I think many of you might be interested. It checks for the buffer overflow the slapper worm uses, and can also check other openssl enabled services like stunnel, sendmail with TLS ...

thanks to this tool I found out my apache was still vulnerable because it was loading an old module even tho it had the patched code built in (duh  :Smile: 

http://CERT.Uni-Stuttgart.DE/advisories/openssl-sslv2-master/openssl-sslv2-master.c

----------

