[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bugtraq.c httpd apache ssl attack


Phillip Hofmeister wrote:
> Is this log evidence of our worm?

Not exactly. Here is the log of "our" machine that has been attacked:

=== cut ===
[Fri Sep 13 00:45:44 2002] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Fri Sep 13 00:46:04 2002] [error] mod_ssl: SSL handshake failed (server localhost:443, client (OpenSSL library error follows
[Fri Sep 13 00:46:04 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different [Fri Sep 13 00:50:47 2002] [error] mod_ssl: SSL handshake timed out (client, server localhost:443)

(the last message was repeated for 20 times, telling about the timeout of every of the 20 connections to the https-port the worm opens after finding a running webserver on port 80)
=== cut ===

The given IP address (210. ...) was the address that the bugtraq-program was given as some kind of "uplink server" address.

Bye, Mike

Reply to: