[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: bugtraq.c httpd apache ssl attack



On Sat, Sep 14, 2002 at 07:24:06PM +0200, Michael Renzmann wrote:
> One thing that makes me wonder: after I wrote my first few lines about 
> the attack on the rlx blade server that we experienced, someone gave a 
> correct hint to the worm (describing it with some of its actions), and 
> also mentioned a URL for the source code of the worm. When looking at 
> that source (http://dammit.lt/apache-worm/apache-worm.c) it is quite 
> obviously that "our" source is totally different. Is there a second 
> variant of the worm, or is this another worm using the same exploit?

There are two worms.  One is old, one is new.  The one at
http://217.24.0.78/bugtraq.c.txt is the new one.  It communicates via
UDP port 2002, though I'm not actually sure what data gets sent on that
port.  The old worm used UDP port 2001, and showed up shortly after the
original OpenSSL vulnerability in late July.  Its source is at
http://dammit.lt/apache-worm/apache-worm.c

These worms both exploit the same OpenSSL bug.  woody is not vulnerable
to this exploit if you're using the latest openssl packages from
security.debian.org.  If you haven't restarted Apache since updating
those packages, though, your Apache process is still linked against the
old libraries and is therefore still vulnerable.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpBK8X6WeNrQ.pgp
Description: PGP signature


Reply to: