Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
The website of the RUS-CERT mentions in the description of the worm:
"Bei verwundbaren Systemen hinterläßt der Wurm angeblich keine
Logfileeintragungen." (for the non-german readers: it's something like
"it is said that the worm does not leave any log entries on vulnerable
systems"). From what I can say this is not correct. I was able to see
the following log entries:
[Fri Sep 13 00:45:44 2002] [error] [client 210.243.234.135] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Fri Sep 13 00:46:04 2002] [error] mod_ssl: SSL handshake failed (server
localhost:443, client 210.243.234.135) (OpenSSL library error follows
)
[Fri Sep 13 00:46:04 2002] [error] OpenSSL: error:1406908F:SSL
routines:GET_CLIENT_FINISHED:connection id is different
[Fri Sep 13 00:50:47 2002] [error] mod_ssl: SSL handshake timed out
(client 210.243.234.135, server localhost:443)
[... the last line was repeated for another 19 times with slightly
different timestamps for the same client ip ...]
The system is Red Hat Linux release 7.2 (Enigma), running
openssl-0.9.6b-8, mod_ssl-2.8.4-9 and apache-1.3.20-16 (as delivered
from RLX as management blade for the rlx 300ex).
From what I heard (iirc you told me about that) the worm fired twenty
requests towards any probed webserver, so the above "logfile signature"
should at least give a clear hint, or am I wrong in that part?
Bye, Mike