You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2002/09/13 21:02:05 UTC

Fwd: Re: OpenSSL worm in the wild

Because this is of general interest to anyone running mod_ssl with
older versions of OpenSSL (pre-0.9.6e) I'm forwarding the current status
of research here.  Please refer your feedback to Dave Ahmad, Ben Laurie
or the Bugtraq mailing list, as appropriate.

Bill


>Delivered-To: mailing list bugtraq@securityfocus.com
>Date: Fri, 13 Sep 2002 11:28:51 -0600 (MDT)
>From: Dave Ahmad <da...@securityfocus.com>
>Subject: Re: OpenSSL worm in the wild
>
>Ok,
>
>The incident analysis team over here is examining this thing.  At first
>glance it looks reasonably sophisticated.  Looks to me like it exploits
>the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
>It seems to pick targets based on the "Server:" HTTP response field.
>Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
>setting it to ProductOnly to turn away at least this version of the exploit
>until fixes can be applied.  Another thing to note is that it communicates
>with its friends over UDP / port 2002.
>
>I'd like to request IP addresses of hosts that have been compromised or
>that are currently attacking systems from anyone who is comfortable
>sharing this information.  We wish to run it through TMS (formerly
>known as ARIS) to see how quickly it is propagating.
>
>David Ahmad
>Symantec
>http://www.symantec.com/
>
>On Fri, 13 Sep 2002, Ben Laurie wrote:
>
> > I have now seen a worm for the OpenSSL problems I reported a few weeks
> > back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should
> > be _seriously worried_.
> >
> > It appears to be exclusively targeted at Linux systems, but I wouldn't
> > count on variants for other systems not existing.
> >
> > Cheers,
> >
> > Ben.
> >
> > --
> > http://www.apache-ssl.org/ben.html      http://www.thebunker.net/
> >
> > "There is no limit to what a man can do or how far he can go if he
> > doesn't mind who gets the credit." - Robert Woodruff


At 11:09 AM 9/13/2002, Sandu Mihai wrote:
>Begining with 12.09.2002 we have noticed a variant of the Apache Worm
>http://dammit.lt/apache-worm/apache-worm.c which now exploits mod_ssl bug.
>The worm can be identified by doing a ps -ax | grep bugtraq (it has the name
>.bugtraq :) ).
>It is an 'agent' worm (as his parent, mr. Apache Worm), and can be
>controlled / instructed to do a UDP Flood, TCP Flood, DNS Flood, other
>goodies including command execution on infected system. The source is found
>in /tmp/.bugtraq.c ... and the comments are in english now :)
>
>All my best,
>Sandu Mihai - KPNQWest Romania Network Engineer