This worm has been referred to by at least four different names:
Apache/mod_ssl worm, linux.slapper.worm, bugtraq.c worm and Modap worm.
On Friday September 13th the first reports appeared on Bugtraq of an active worm exploiting the OpenSSL buffer overflow
vulnerability reported at the end of July.
The next day CERT issued Advisory CA-2002-27 Apache/mod_ssl Worm.
Compromise by the Apache/mod_ssl worm indicates that a remote attacker
can execute arbitrary code as the apache user on the victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.
September 15th, at 17:00 GMT, F-Secure Corporation reported 13,000 infected servers
out of "over 1,000,000 active OpenSSL
installations in the public web."
Updates to fix the problem, including backports to earlier versions of OpenSSL, had been available for over a month
from the OpenSSL project, Caldera, Conectiva, Debian, EnGarde, Eridani, Gentoo, Mandrake, OpenPKG, Red Hat, SuSE, Trustix and Yellow Dog.
SecurityFocus has completed and released a full analysis (PDF format) of the worm in addition to their initial incident Alert (PDF format).
F-Secure is maintaining a "Virus Description" of
this worm with lots of interesting information.
The first reports in the press appeared Friday,
the day the worm was first seen, in
Network World Fusion.
The next day CNET put up another story with
additional information. By Monday evening both the Register and
had published their reports on events to date. On Tuesday Network World Fusion reported that the worm has infected at least 30,000 Linux Apache Web servers.
this other article from TechWeb on the worm:
According to Dan Ingevaldson, team lead of the X-Force R&D division at ISS, the first version may be a test to see how well the worm works before more deadlier versions surface. "Unlike Code Red and Nimda, where virus writers didn't have immediate access to the source code, the source code for this worm is already widely public," he says. "I'd expect new versions to start to surface."
RUS-CERT has made available a tool to remotely detect vulnerable servers. However, Eric Rescorla has
observed behavior different from what that tool expects.
In the unlikely event that you haven't already, applying the appropriate OpenSSL update might be a very good thing to do before reading any further.
to post comments)