At 1/7/2003 02:12 PM, Sverre H. Huseby wrote: >I'm adding some info to my previous reply: > >I queried the Server header of the 30 different IPs (only two have >visited me twice) that have sumthin'ed me since 2002-10-12. 21 of >them replied as follows, the rest didn't respond: Based on the information supplied in the headers below, it looks to me like it's likely a variation of the slapper worm that has infected a number of Apache systems that 1) use an older version of OpenSSL and 2) announce it in the HTTP server header. If you have a vulnerable Apache server running OpenSSL with port 443 accessible, you'd likely see a subsequent connection to the SSL server (and you may already be infected). This modified worm likely uses the GET /sumthin request to see the server header response from the web server and then attacks those web servers that appear vulnerable. >Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2 >OpenSSL/0.9.6 PHP/4.0.4pl1 >Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 >OpenSSL/0.9.6b PHP/4.0.6 >Apache-AdvancedExtranetServer/1.3.22 (Mandrake Linux/10.2mdk) >mod_ssl/2.8.5 OpenSSL/0.9.6b PHP/4.0.6 >Apache-AdvancedExtranetServer/1.3.23 (Mandrake Linux/4mdk) tomcat/1.0 >mod_ssl/2.8.7 OpenSSL/0.9.6c PHP/4.1.2 mod_jk/1.1.0 >Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a >DAV/1.0.1 PHP/4.0.1pl2 mod_perl/1.24 >Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a >PHP/4.0.1pl2 mod_perl/1.24 >Apache/1.3.14 (Unix) (Red-Hat/Linux) mod_ssl/2.7.1 OpenSSL/0.9.5a >PHP/4.0.4pl1 mod_perl/1.24 >Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 >DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 >Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 >DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 >Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 >DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 >Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 >DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 >Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b >DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 >Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b >DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 >Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b >DAV/1.0.2 PHP/4.1.2 mod_perl/1.24_01 >Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 >mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 >mod_throttle/3.1.2 >Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 >mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 >mod_throttle/3.1.2 >Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b >DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 >Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b >DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 Michael Katz mikeat_private Procinct Security ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 15:47:20 PST