i got them too. i belive they are some sort of httpd version scanner. most probably trying to look for either IIS unicode attacks or apache ssl hole. ----- Original Message ----- From: "Chuck Swiger" <cswigerat_private> To: <incidentsat_private> Sent: Tuesday, February 11, 2003 1:45 AM Subject: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit... > Here are the relevant pieces of the Apache logfiles: > > access_log: > 65.211.112.6 - - [04/Feb/2003:16:17:30 -0500] "GET > /mod_ssl:error:HTTP-request HTTP/1.0" 400 475 > 217.96.247.140 - - [05/Feb/2003:20:40:47 -0500] "GET /sumthin HTTP/1.0" > 404 201 > 65.211.112.6 - - [06/Feb/2003:09:51:08 -0500] "GET > /mod_ssl:error:HTTP-request HTTP/1.0" 400 475 > 24.52.162.226 - - [07/Feb/2003:01:46:31 -0500] "GET /sumthin HTTP/1.0" > 404 201 > 196.41.30.38 - - [07/Feb/2003:12:37:45 -0500] "GET /sumthin HTTP/1.0" > 404 201 > > ssl_request_log: > [04/Feb/2003:16:17:30 -0500] 65.211.112.6 - - "GET > /mod_ssl:error:HTTP-request HTTP/1.0" 475 > [06/Feb/2003:09:51:08 -0500] 65.211.112.6 - - "GET > /mod_ssl:error:HTTP-request HTTP/1.0" 475 > > error_log: > [Tue Feb 4 05:01:54 2003] [error] [client 217.235.56.30] File does not > exist: /opt/apache/htdocs/sumthin > [Tue Feb 4 16:17:30 2003] [error] mod_ssl: SSL handshake failed: HTTP > spoken on HTTPS port; trying to send HTML error page (OpenSSL library > error follows) > [Tue Feb 4 16:17:30 2003] [error] OpenSSL: error:1407609C:SSL > routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to > HTTPS port!?] > [Wed Feb 5 02:37:29 2003] [error] [client 61.102.208.208] File does not > exist:/opt/apache/htdocs/sumthin > [Thu Feb 6 09:51:08 2003] [error] mod_ssl: SSL handshake failed: HTTP > spoken on HTTPS port; trying to send HTML error page (OpenSSL library > error follows) > [Thu Feb 6 09:51:08 2003] [error] OpenSSL: error:1407609C:SSL > routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to > HTTPS port!?] > [Fri Feb 7 01:46:31 2003] [error] [client 24.52.162.226] File does not > exist: /opt/apache/htdocs/sumthin > [Fri Feb 7 11:12:30 2003] [error] [client 62.110.124.190] Client sent > malformed Host header > [Fri Feb 7 12:37:45 2003] [error] [client 196.41.30.38] File does not > exist: /opt/apache/htdocs/sumthin > > ssl_engine_log: > [04/Feb/2003 05:01:52 14857] [info] Connection to child 8 established > (server xxxxx.com:443, client 217.235.56.30) > [04/Feb/2003 05:01:52 14857] [info] Seeding PRNG with 1672 bytes of entropy > [04/Feb/2003 05:01:52 14857] [info] Spurious SSL handshake > interrupt[Hint: Usually just one of those OpenSSL confusions!?] > [05/Feb/2003 20:41:09 00431] [info] Connection to child 0 established > (server xxxxx.com:443, client 217.96.247.140) > [05/Feb/2003 20:41:09 00431] [info] Seeding PRNG with 1672 bytes of entropy > [05/Feb/2003 20:41:09 00431] [info] Spurious SSL handshake > interrupt[Hint: Usually just one of those OpenSSL confusions!?] > [06/Feb/2003 09:51:08 00435] [info] Connection to child 4 established > (server xxxxx.com:443, client 65.211.112.6) > [06/Feb/2003 09:51:08 00435] [info] Seeding PRNG with 1672 bytes of entropy > [06/Feb/2003 09:51:08 00435] [error] SSL handshake failed: HTTP spoken > on HTTPS port; trying to send HTML error page (OpenSSL library error > follows) > [06/Feb/2003 09:51:08 00435] [error] OpenSSL: error:1407609C:SSL > routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to > HTTPS port!?] > [07/Feb/2003 01:46:31 00431] [info] Connection to child 0 established > (server xxxxx.com:443, client 24.52.162.226) > [07/Feb/2003 01:46:31 00431] [info] Seeding PRNG with 1672 bytes of entropy > [07/Feb/2003 01:46:31 00431] [info] Spurious SSL handshake > interrupt[Hint: Usually just one of those OpenSSL confusions!?] > [07/Feb/2003 12:37:45 00435] [info] Connection to child 4 established > (server xxxxx.com:443, client 196.41.210.22) > [07/Feb/2003 12:37:45 00435] [info] Seeding PRNG with 1672 bytes of entropy > [07/Feb/2003 12:37:45 00435] [info] Spurious SSL handshake > interrupt[Hint: Usually just one of those OpenSSL confusions!?] > [09/Feb/2003 08:32:03 00913] [info] Connection to child 5 established > (server xxxxx.com:443, client 210.70.26.71) > [09/Feb/2003 08:32:04 00913] [info] Seeding PRNG with 1672 bytes of entropy > [09/Feb/2003 08:32:04 00913] [info] Spurious SSL handshake > interrupt[Hint: Usually just one of those OpenSSL confusions!?] > > Three of the apache child processes became wedged, which alerted a > monitoring system on Friday (2003/2/7). It looks like the intruder may > have gained access as the user apache runs as, and attempted to create > or look for a file (not successfully). No other signs of problems; > server rebuilt 2003/2/9 against apache-1.3.27 + openssl-0.9.7. > > -Chuck > > PS: The machine has detailed monitoring in place, but even so, this > incident didn't cause a lot of noise. Certainly not when compared to > the logging info generated from ~8000 attempted IIS probes per month.... > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 15:34:34 PST