| Port No | 2002 |
| Service Name | ELF_SLAPPER |
| RFC Doc | 0 |
| Protocol | UDP |
| Description | This Linux worm is a variant of ELF_SLAPPER.GEN. It uses the SSL exploit in Apache Web server to gain access to the host computer. Once it has infiltrated the host computer, it can launch a DDoS attack on a specific host.
*Consult ELF_SLAPPER.GEN for the specific versions of these SSL and Apache exploit and the details of the DDoS operation. Compared with ELF_SLAPPER.GEN, this variant uses a different port number to communicate and different filenames under which it copies itself. This worm also mails information on the compromised machine to a specific email address. It has a backdoor component that listens on port number 1052 for files that it downloads and executes. |
| Reference Link | ELF_SLAPPER |
| Attack | Solution: Shut down the Apache Web service. Scan your system with Trend Micro antivirus and delete all files detected as ELF_SLAPPER.C. To do this, Trend Micro customers must download the latest pattern file and scan their system. Use any available process viewer program to view and terminate the .unlock* process. Note: In order to avoid getting infected by ELF_SLAPPER.C, users are strongly encouraged to upgrade existing versions of OpenSSL to version 0.9.6e or 0.9.7beta3. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.