Re: bugtraq.c httpd apache ssl attack

To: Phillip Hofmeister <plhofmei@zionlth.org>
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Re: bugtraq.c httpd apache ssl attack
From: Michael Renzmann <mrenzmann@dylanic.de>
Date: Sat, 14 Sep 2002 21:12:00 +0200
Message-id: <[🔎] 3D838A00.2000505@dylanic.de>
References: <[🔎] 20020914185756.GA31379@zionlth.org>

Hi.

Phillip Hofmeister wrote:
> Is this log evidence of our worm?

Not exactly. Here is the log of "our" machine that has been attacked:

=== cut ===

[Fri Sep 13 00:45:44 2002] [error] [client 210.243.234.135] client sentHTTP/1.1 request without hostname (see RFC2616 section 14.23): /[Fri Sep 13 00:46:04 2002] [error] mod_ssl: SSL handshake failed (serverlocalhost:443, client 210.243.234.135) (OpenSSL library error follows

[Fri Sep 13 00:46:04 2002] [error] OpenSSL: error:1406908F:SSLroutines:GET_CLIENT_FINISHED:connection id is different[Fri Sep 13 00:50:47 2002] [error] mod_ssl: SSL handshake timed out(client 210.243.234.135, server localhost:443)

(the last message was repeated for 20 times, telling about the timeoutof every of the 20 connections to the https-port the worm opens afterfinding a running webserver on port 80)

=== cut ===

The given IP address (210. ...) was the address that the bugtraq-programwas given as some kind of "uplink server" address.


Bye, Mike

Reply to:

References:
- bugtraq.c httpd apache ssl attack
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

Prev by Date: bugtraq.c httpd apache ssl attack
Next by Date: Re: Fwd: bugtraq.c httpd apache ssl attack
Previous by thread: bugtraq.c httpd apache ssl attack
Next by thread: Re: bugtraq.c httpd apache ssl attack
Index(es):
- Date
- Thread