[mikeat_private] Tue, Jan 07, 2003 at 03:01:10PM -0800 wrote: > At 1/7/2003 02:12 PM, Sverre H. Huseby wrote: > > >I'm adding some info to my previous reply: > > > >I queried the Server header of the 30 different IPs (only two have > >visited me twice) that have sumthin'ed me since 2002-10-12. 21 of > >them replied as follows, the rest didn't respond: > > Based on the information supplied in the headers below, it looks to me like > it's likely a variation of the slapper worm that has infected a number of > Apache systems that 1) use an older version of OpenSSL and 2) announce it > in the HTTP server header. If you have a vulnerable Apache server running > OpenSSL with port 443 accessible, you'd likely see a subsequent connection > to the SSL server (and you may already be infected). > > This modified worm likely uses the GET /sumthin request to see the server > header response from the web server and then attacks those web servers that > appear vulnerable. > > >Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2 > >OpenSSL/0.9.6 PHP/4.0.4pl1 > >Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 > >OpenSSL/0.9.6b PHP/4.0.6 > >Apache-AdvancedExtranetServer/1.3.22 (Mandrake Linux/10.2mdk) > >mod_ssl/2.8.5 OpenSSL/0.9.6b PHP/4.0.6 > >Apache-AdvancedExtranetServer/1.3.23 (Mandrake Linux/4mdk) tomcat/1.0 > >mod_ssl/2.8.7 OpenSSL/0.9.6c PHP/4.1.2 mod_jk/1.1.0 > >Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a > >DAV/1.0.1 PHP/4.0.1pl2 mod_perl/1.24 > >Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a > >PHP/4.0.1pl2 mod_perl/1.24 > >Apache/1.3.14 (Unix) (Red-Hat/Linux) mod_ssl/2.7.1 OpenSSL/0.9.5a > >PHP/4.0.4pl1 mod_perl/1.24 > >Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 > >DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 > >Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 > >DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 > >Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 > >DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 > >Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 > >DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 > >Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b > >DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 > >Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b > >DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 > >Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b > >DAV/1.0.2 PHP/4.1.2 mod_perl/1.24_01 > >Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 > >mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 > >mod_throttle/3.1.2 > >Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 > >mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 > >mod_throttle/3.1.2 > >Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b > >DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 > >Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b > >DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 I would have to agree, breifly looking through my logs, IP's attempting connetions to 443 (ssl not running on my host) most are running vulnerable versions of apache/ssl. [...] Trying 217.230.102.xxx... Connected to 217.230.102.xxx. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 08 Jan 2003 06:52:30 GMT Server: Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 [...] - nocon ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 08 2003 - 17:34:25 PST