[logs] slapper logfile marks ..

From: Jose Nazario (joseat_private)
Date: Tue Oct 08 2002 - 07:10:01 PDT

  • Next message: Daniel Deremiah: "Re: [logs] compress log error (was PIX logging)"

    trying to see if these are telltale signs of a slapper request. looking
    at the worm's source code it makes a http request for /:
    
    GET HTTP/1.1
    
    (note that its incomplete for the 1.1 spec, its missing the host:
    declaration.) it then sends two ssl connections to try and overflow the
    key exchange for SSLv2.
    
    this would explain this logfile pattern i have seen with an apache
    installation. the first request looks like the problem in the port 80
    server fingerprinting:
    
    [Sun Oct  6 03:25:18 2002] [error] [client 202.133.158.195] client sent
    HTTP/1.1 request without hostname (see RFC2068 section 9, and 14.23): /
    
    with followups immediately with SSL errors:
    
    [Sun Oct  6 03:25:37 2002] [error] mod_ssl: SSL handshake interrupted by
    system [Hint: Stop button pressed in browser?!] (System error follows)
    [Sun Oct  6 03:25:37 2002] [error] System: Connection reset by peer
    (errno: 104)
    
    unfortunately the error log doesn't report the SSL client who made the
    errors.
    
    anyhow, is this the pattern other people have been seeing for slapper
    hosts?
    
    ___________________________
    jose nazario, ph.d.			joseat_private
    					http://www.monkey.org/~jose/
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 06:18:50 PDT