On Sat, Sep 14, 2002 at 07:24:06PM +0200, Michael Renzmann wrote: > One thing that makes me wonder: after I wrote my first few lines about > the attack on the rlx blade server that we experienced, someone gave a > correct hint to the worm (describing it with some of its actions), and > also mentioned a URL for the source code of the worm. When looking at > that source (http://dammit.lt/apache-worm/apache-worm.c) it is quite > obviously that "our" source is totally different. Is there a second > variant of the worm, or is this another worm using the same exploit?
There are two worms. One is old, one is new. The one at http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via UDP port 2002, though I'm not actually sure what data gets sent on that port. The old worm used UDP port 2001, and showed up shortly after the original OpenSSL vulnerability in late July. Its source is at http://dammit.lt/apache-worm/apache-worm.c These worms both exploit the same OpenSSL bug. woody is not vulnerable to this exploit if you're using the latest openssl packages from security.debian.org. If you haven't restarted Apache since updating those packages, though, your Apache process is still linked against the old libraries and is therefore still vulnerable. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgp69whWQa8Do.pgp
Description: PGP signature