Summary: Apache webserver logfiles show malicious activity seeking to exploit OpenSSL vulnerability. In one case the break-in was successful, in a]one case it wasn't. I think this is a probably a worm, which may be similar to the Slapper worm. (But it's not any of the well-known variants of the Slapper worm.) Here the gory details: On one machine (GNU/linux (heavily modified Redhat Linux) on AMD-K6 3D processor, Apache/1.3.17 (Unix) with mod_perl/1.25, mod_ssl/2.8.0, OpenSSL/0.9.6 which compiled myself some time back) I see this in the error logfile: --snip------------------------------------------------------------ [Sun Sep 22 12:03:46 2002] [error] mod_ssl: SSL handshake failed (server www.surrogacy.com:443, client 66.216.96.82) (OpenSSL library error follows) [Sun Sep 22 12:03:46 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different [Sun Sep 22 21:57:11 2002] [error] mod_ssl: SSL handshake failed (server www.surrogacy.com:443, client 66.216.96.112) (OpenSSL library error follows) [Sun Sep 22 21:57:11 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different [Mon Sep 23 04:02:21 2002] [notice] Apache/1.3.17 (Unix) mod_perl/1.25 mod_ssl/2.8.0 OpenSSL/0.9.6 configured -- resuming normal operations [Mon Sep 23 04:31:40 2002] [error] mod_ssl: SSL handshake failed (server www.surrogacy.com:443, client 209.145.157.119) (OpenSSL library error follows) [Mon Sep 23 04:31:40 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different [Mon Sep 23 14:00:33 2002] [error] mod_ssl: SSL handshake failed (server www.surrogacy.com:443, client 216.229.183.80) (OpenSSL library error follows) [Mon Sep 23 14:00:33 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different [Tue Sep 24 04:02:28 2002] [notice] Apache/1.3.17 (Unix) mod_perl/1.25 mod_ssl/2.8.0 OpenSSL/0.9.6 configured -- resuming normal operations [Tue Sep 24 04:23:33 2002] [error] mod_ssl: SSL handshake failed (server www.surrogacy.com:443, client 217.35.32.244) (OpenSSL library error follows) [Tue Sep 24 04:23:33 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different --snap------------------------------------------------------------ (an excerpt, extracted with grep, but otherwise unmangled.) I don't see any suspicious-looking processes, network activity, or files in /tmp. (yes, I'm typing this while compiling the newest version of OpenSSL with the bugfixes.) On a different machine (GNU/Linux (RedHat Linux 7.2 with minor modifications) on Intel Pentium 4, Apache/1.3.20 with mod_python/2.7.6, Python/1.5.2, mod_ssl/2.8.4, OpenSSL/0.9.6b, mod_perl/1.24_01) I see --snip------------------------------------------------------------ [Mon Sep 23 02:46:50 2002] [error] mod_ssl: SSL handshake failed (server rimmon.cisto.com:443, client 199.203.55.64) (OpenSSL library error follows) [Mon Sep 23 02:46:50 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different --snap------------------------------------------------------------ Also there was a very obvious highly suspicious process: $ ps auxww|grep 11345 apache 11345 0.0 0.0 1476 4 ? S Sep23 0:00 ./Zatron according to strace it was just waiting for input on file descriptor 6. I did not find any files in /tmp, nor any file with name "Zatron" anywhere in the filesystem. fuser reports nothing concerning the udp ports that are known for Slapper worm activity. Greetings, Norbert. -- Founder & Steering Committee member of http://gnu.org/projects/dotgnu/ Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland) Tel +41 1 972 20 59 Fax +41 1 972 20 69 http://norbert.ch List hosting with GNU Mailman on your own domain name http://cisto.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 12:10:14 PDT