Re: slapper countermeasures
> > On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote:
> > > "killall .bugtraq" would be suitable as well, and it would "destroy"
> > > every other instance of the program that is running currently. Even if
> > > detecting the current PPID does not work for whatever reason.
> > *chuckle*
Unrelated to the previous post, but related to the thread, just FWIW (by
someone who has seen hundreds of slapper infections in the past week)
there are now several names for the process/files:
update (a backdoor)
.cinic (.cinik? cant remember)
look for others.. I found k in /var/tmp/.../ so .tmp is not the only
place to check.. anywhere writeable by the user that apache is running
as. I've also seen a couple versions which included psybnc or something
similar (a little app that allows a windows luser to bounce their irc
connection off of the server, thereby hiding their identity).
Hope this is helpful :)