[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: bugtraq.c httpd apache ssl attack



On Sat, Sep 14, 2002 at 08:14:56PM +0200, Michael Renzmann wrote:
> Any idea about the outgoing connections to port 80? We noticed that the 
> bugtraq-process systematically tries to connect to port 80 in an ip 
> block, and it keeps trying and trying, incrementing the ip addresses by 
> one per step (1.2.3.4, 1.2.3.5, 1.2.3.6, and so on). We could not find 
> out what is done with this connection, nor what the purpose of this 
> "scan" is.

It seems like it tries connecting to port 80 via the GetAddress function
to determine if a host is running Apache on the standard http port.
The target host must be running Apache on port 80 in order for the worm
to even consider making an https connection to it.  See the following
code from the exploit() routine:
	if ((a=GetAddress(ip)) == NULL) exit(0);
	if (strncmp(a,"Apache",6)) exit(0);

It then proceeds to go off and initiate 20 connections to the https
port and attempts to exploit the OpenSSL vulnerability.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpHNIvppJEB0.pgp
Description: PGP signature


Reply to: