CHKrootkit Finds Slapper Worm installed
Root Kit Hunters such as CHKRootKit are great for monitoring
your server for security holes but sometimes they find false
positives. These appear to be real security threats when you run
the software so it's sometimes confusing to determine if you are
in fact in trouble or if it's false.
One of these known false entries is 'Slapper Worm'
Slapper Worm may be a false entry if a process was running when
CHKROOTKIT started, and it finished before CHKROOTKIT finished
running.
To verify this wait a couple minutes after you get your
CHKROOTKIT Report via e-mail, or after you run it on command
line. After you wait 1 - 2 minutes you should simply login to
your server VIA ssh and run CHKROOTKIT again. If it comes up
Checking `slapper'... not infected then you know it was a false
entry. If it comes up again telling you Checking `slapper'...
Warning: Possible Slapper Worm installed then you should wait a
minute and run the CHKROOTKIT a 3rd time to verify it is really
installed. If it is you need to take measures to secure your
server now, and attempt at removing the slapper worm or
re-installing and re-loading your data and hardening your server
again.
If you run a cPanel server BindShell is a false entry as well.
(Happens on all cPanel Servers)
Original:
http://www.ukwebmasterforums.com/t4925-chkrootkit-finds-slapper-w
orm-installed.html
Web Hosting UK
(http://www.session9.co.uk/ )
Webmaster
Forums ( http://www.ukwebmasterforums.com/ )
Web
Hosting Affiliate (
http://www.session9.co.uk/web-hosting-affiliate/ )
Domain Reseller (
http://www.domainvendor.co.uk/ )