trying to see if these are telltale signs of a slapper request. looking at the worm's source code it makes a http request for /: GET HTTP/1.1 (note that its incomplete for the 1.1 spec, its missing the host: declaration.) it then sends two ssl connections to try and overflow the key exchange for SSLv2. this would explain this logfile pattern i have seen with an apache installation. the first request looks like the problem in the port 80 server fingerprinting: [Sun Oct 6 03:25:18 2002] [error] [client 202.133.158.195] client sent HTTP/1.1 request without hostname (see RFC2068 section 9, and 14.23): / with followups immediately with SSL errors: [Sun Oct 6 03:25:37 2002] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Sun Oct 6 03:25:37 2002] [error] System: Connection reset by peer (errno: 104) unfortunately the error log doesn't report the SSL client who made the errors. anyhow, is this the pattern other people have been seeing for slapper hosts? ___________________________ jose nazario, ph.d. joseat_private http://www.monkey.org/~jose/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 06:18:50 PDT