On Sat, Sep 14, 2002 at 08:14:56PM +0200, Michael Renzmann wrote: > Any idea about the outgoing connections to port 80? We noticed that the > bugtraq-process systematically tries to connect to port 80 in an ip > block, and it keeps trying and trying, incrementing the ip addresses by > one per step (1.2.3.4, 1.2.3.5, 1.2.3.6, and so on). We could not find > out what is done with this connection, nor what the purpose of this > "scan" is. It seems like it tries connecting to port 80 via the GetAddress function to determine if a host is running Apache on the standard http port. The target host must be running Apache on port 80 in order for the worm to even consider making an https connection to it. See the following code from the exploit() routine: if ((a=GetAddress(ip)) == NULL) exit(0); if (strncmp(a,"Apache",6)) exit(0); It then proceeds to go off and initiate 20 connections to the https port and attempts to exploit the OpenSSL vulnerability. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpORpFhpAWQf.pgp
Description: PGP signature