#!/bin/bash
#Slapper detect and removal tool V0.1.
#Copyright 2001, 2002 William Stearns <wstearns@pobox.com>
#Released under the GPL.

if ! . detectlib ; then
	echo Cannot find detectlib in the current directory, exiting
	exit 2
fi
InitDetectLib
#optional test:
#if [ $DetectLibVer -lt 010 ]; then
#	echo detectlib is too old, please update.  Exiting.
#	exit 1
#fi

AttackName Linux Slapper Worm
if AttackMarker /tmp/.bugtraq.c /tmp/.uubugtraq /tmp/.bugtraq ; then

	PathToRunningApps \
	  /tmp/.bugtraq

	AttackFiles \
	  /tmp/.bugtraq.c \
	  /tmp/.uubugtraq \
	  /tmp/.bugtraq

	echo 'Please remember that slapper has been running as the user under' 
	echo 'which Apache runs, and has been able to run commands on your'
	echo 'system sent from the Internet.  In at least one case, this'
	echo 'includes the remote installation of a rootkit, with subsequent'
	echo 'root access.  We strongly recommend that you:'
	echo '- Do a full check of system integrity, including tripwire and'
	echo '  or "rpm -Va" checks/'
	echo '- Change root and all user passwords'
	echo '- Apply all available updates to your system, especially openssl'
	echo
	echo 'Also, every email address stored in any file on your system may'
	echo 'have been sent off to anyone with access to the slapper network.'

	exit $True	#Attack found
else
	exit $False	#Attack not found
fi