[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: bugtraq.c httpd apache ssl attack

Hi Florian.

Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:


Great tool, thanks.

The website of the RUS-CERT mentions in the description of the worm: "Bei verwundbaren Systemen hinterläßt der Wurm angeblich keine Logfileeintragungen." (for the non-german readers: it's something like "it is said that the worm does not leave any log entries on vulnerable systems"). From what I can say this is not correct. I was able to see the following log entries:

[Fri Sep 13 00:45:44 2002] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Fri Sep 13 00:46:04 2002] [error] mod_ssl: SSL handshake failed (server localhost:443, client (OpenSSL library error follows
[Fri Sep 13 00:46:04 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different [Fri Sep 13 00:50:47 2002] [error] mod_ssl: SSL handshake timed out (client, server localhost:443) [... the last line was repeated for another 19 times with slightly different timestamps for the same client ip ...]

The system is Red Hat Linux release 7.2 (Enigma), running openssl-0.9.6b-8, mod_ssl-2.8.4-9 and apache-1.3.20-16 (as delivered from RLX as management blade for the rlx 300ex).

From what I heard (iirc you told me about that) the worm fired twenty requests towards any probed webserver, so the above "logfile signature" should at least give a clear hint, or am I wrong in that part?

Bye, Mike

Reply to: