logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit...

From: Chuck Swiger (cswigerat_private)
Date: Mon Feb 10 2003 - 16:45:53 PST

Next message: Patrick Bryant: "Re: Identity theft scam against eBay users"

Previous message: Thierry Zoller: "RE: Increased Kuang2 activity"
Next in thread: Richard Rager: "Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit..."
Reply: Richard Rager: "Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit..."
Reply: root@darks: "Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here are the relevant pieces of the Apache logfiles:

access_log:
65.211.112.6 - -   [04/Feb/2003:16:17:30 -0500] "GET 
/mod_ssl:error:HTTP-request HTTP/1.0" 400 475
217.96.247.140 - - [05/Feb/2003:20:40:47 -0500] "GET /sumthin HTTP/1.0" 
404 201
65.211.112.6 - -   [06/Feb/2003:09:51:08 -0500] "GET 
/mod_ssl:error:HTTP-request HTTP/1.0" 400 475
24.52.162.226 - -  [07/Feb/2003:01:46:31 -0500] "GET /sumthin HTTP/1.0" 
404 201
196.41.30.38 - -   [07/Feb/2003:12:37:45 -0500] "GET /sumthin HTTP/1.0" 
404 201

ssl_request_log:
[04/Feb/2003:16:17:30 -0500] 65.211.112.6 - - "GET 
/mod_ssl:error:HTTP-request HTTP/1.0" 475
[06/Feb/2003:09:51:08 -0500] 65.211.112.6 - - "GET 
/mod_ssl:error:HTTP-request HTTP/1.0" 475

error_log:
[Tue Feb  4 05:01:54 2003] [error] [client 217.235.56.30] File does not 
exist: /opt/apache/htdocs/sumthin
[Tue Feb  4 16:17:30 2003] [error] mod_ssl: SSL handshake failed: HTTP 
spoken on HTTPS port; trying to send HTML error page (OpenSSL library 
error follows)
[Tue Feb  4 16:17:30 2003] [error] OpenSSL: error:1407609C:SSL 
routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to 
HTTPS port!?]
[Wed Feb  5 02:37:29 2003] [error] [client 61.102.208.208] File does not 
exist:/opt/apache/htdocs/sumthin
[Thu Feb  6 09:51:08 2003] [error] mod_ssl: SSL handshake failed: HTTP 
spoken on HTTPS port; trying to send HTML error page (OpenSSL library 
error follows)
[Thu Feb  6 09:51:08 2003] [error] OpenSSL: error:1407609C:SSL 
routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to 
HTTPS port!?]
[Fri Feb  7 01:46:31 2003] [error] [client 24.52.162.226] File does not 
exist: /opt/apache/htdocs/sumthin
[Fri Feb  7 11:12:30 2003] [error] [client 62.110.124.190] Client sent 
malformed Host header
[Fri Feb  7 12:37:45 2003] [error] [client 196.41.30.38] File does not 
exist: /opt/apache/htdocs/sumthin

ssl_engine_log:
[04/Feb/2003 05:01:52 14857] [info]  Connection to child 8 established 
(server xxxxx.com:443, client 217.235.56.30)
[04/Feb/2003 05:01:52 14857] [info]  Seeding PRNG with 1672 bytes of entropy
[04/Feb/2003 05:01:52 14857] [info]  Spurious SSL handshake 
interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[05/Feb/2003 20:41:09 00431] [info]  Connection to child 0 established 
(server xxxxx.com:443, client 217.96.247.140)
[05/Feb/2003 20:41:09 00431] [info]  Seeding PRNG with 1672 bytes of entropy
[05/Feb/2003 20:41:09 00431] [info]  Spurious SSL handshake 
interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[06/Feb/2003 09:51:08 00435] [info]  Connection to child 4 established 
(server xxxxx.com:443, client 65.211.112.6)
[06/Feb/2003 09:51:08 00435] [info]  Seeding PRNG with 1672 bytes of entropy
[06/Feb/2003 09:51:08 00435] [error] SSL handshake failed: HTTP spoken 
on HTTPS port; trying to send HTML error page (OpenSSL library error 
follows)
[06/Feb/2003 09:51:08 00435] [error] OpenSSL: error:1407609C:SSL 
routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to 
HTTPS port!?]
[07/Feb/2003 01:46:31 00431] [info]  Connection to child 0 established 
(server xxxxx.com:443, client 24.52.162.226)
[07/Feb/2003 01:46:31 00431] [info]  Seeding PRNG with 1672 bytes of entropy
[07/Feb/2003 01:46:31 00431] [info]  Spurious SSL handshake 
interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[07/Feb/2003 12:37:45 00435] [info]  Connection to child 4 established 
(server xxxxx.com:443, client 196.41.210.22)
[07/Feb/2003 12:37:45 00435] [info]  Seeding PRNG with 1672 bytes of entropy
[07/Feb/2003 12:37:45 00435] [info]  Spurious SSL handshake 
interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[09/Feb/2003 08:32:03 00913] [info]  Connection to child 5 established 
(server xxxxx.com:443, client 210.70.26.71)
[09/Feb/2003 08:32:04 00913] [info]  Seeding PRNG with 1672 bytes of entropy
[09/Feb/2003 08:32:04 00913] [info]  Spurious SSL handshake 
interrupt[Hint: Usually just one of those OpenSSL confusions!?]

Three of the apache child processes became wedged, which alerted a 
monitoring system on Friday (2003/2/7).  It looks like the intruder may 
have gained access as the user apache runs as, and attempted to create 
or look for a file (not successfully).  No other signs of problems; 
server rebuilt 2003/2/9 against apache-1.3.27 + openssl-0.9.7.

-Chuck

PS: The machine has detailed monitoring in place, but even so, this 
incident didn't cause a lot of noise.  Certainly not when compared to 
the logging info generated from ~8000 attempted IIS probes per month....



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Patrick Bryant: "Re: Identity theft scam against eBay users"
Previous message: Thierry Zoller: "RE: Increased Kuang2 activity"
Next in thread: Richard Rager: "Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit..."
Reply: Richard Rager: "Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit..."
Reply: root@darks: "Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 20:02:15 PST