root@darks wrote: > i got them too. i belive they are some sort of httpd version scanner. most > probably trying to look for either IIS unicode attacks or apache ssl hole. [ ... ] The latter, agreed. My point was not so much that someone was scanning, or even that a sufficiently old version of apache+openssl is hackable, although both seem to be valid points worth knowing. :-) What seemed to be of more concern to me is that this exploit did not require lot of failed connection attempts (ie, to deduce a cryptographic weakness) before the attack succeeded. If I didn't have a definite time stamp for the problem-- I have virtual_adrian going and a network-based monitoring tool checking every five minutes-- it would have been hard to track down (or even notice) the relevant pieces out of a half-million lines of Apache logfiles. Anyway, take care, -Chuck ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 15:38:06 PST