Hi Florian. Florian Weimer wrote:
If you want to do your own tests (without fooling around with the worm), you can use our tool: http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.The website of the RUS-CERT mentions in the description of the worm: "Bei verwundbaren Systemen hinterläßt der Wurm angeblich keine Logfileeintragungen." (for the non-german readers: it's something like "it is said that the worm does not leave any log entries on vulnerable systems"). From what I can say this is not correct. I was able to see the following log entries:
[Fri Sep 13 00:45:44 2002] [error] [client 210.243.234.135] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Fri Sep 13 00:46:04 2002] [error] mod_ssl: SSL handshake failed (server localhost:443, client 210.243.234.135) (OpenSSL library error follows
)[Fri Sep 13 00:46:04 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different [Fri Sep 13 00:50:47 2002] [error] mod_ssl: SSL handshake timed out (client 210.243.234.135, server localhost:443) [... the last line was repeated for another 19 times with slightly different timestamps for the same client ip ...]
The system is Red Hat Linux release 7.2 (Enigma), running openssl-0.9.6b-8, mod_ssl-2.8.4-9 and apache-1.3.20-16 (as delivered from RLX as management blade for the rlx 300ex).
From what I heard (iirc you told me about that) the worm fired twenty requests towards any probed webserver, so the above "logfile signature" should at least give a clear hint, or am I wrong in that part?
Bye, Mike