On Sat, Sep 14, 2002 at 01:41:06PM -0400, Noah L. Meyerhans wrote:
> There are two worms. One is old, one is new. The one at
> http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via
> UDP port 2002, though I'm not actually sure what data gets sent on that
> port. The old worm use
Hi.
Phillip Hofmeister wrote:
> Is this log evidence of our worm?
Not exactly. Here is the log of "our" machine that has been attacked:
=== cut ===
[Fri Sep 13 00:45:44 2002] [error] [client 210.243.234.135] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Fri Sep
Is this log evidence of our worm?
[Fri Sep 13 23:46:29 2002] [error] mod_ssl: SSL handshake failed (server
www.zionlth.org:443, client 195.34.113.130) (OpenSSL library error follows)
[Fri Sep 13 23:46:30 2002] [error] OpenSSL: error:1406B458:SSL
routines:GET_CLIENT_MASTER_KEY:key arg too long
[S
On Sat, Sep 14, 2002 at 08:14:56PM +0200, Michael Renzmann wrote:
> Any idea about the outgoing connections to port 80? We noticed that the
> bugtraq-process systematically tries to connect to port 80 in an ip
> block, and it keeps trying and trying, incrementing the ip addresses by
> one per st
Hi.
Noah L. Meyerhans wrote:
In 3 dias, about 1500 diferent IP address tried to contact my machine at
UDP port 2002. Fortunally i have iptables configured.
That's interesting. I haven't seen any traffic to udp port 2002 in the
past couple of days at all. The worm uses the following code to pi
Hi.
Guille -bisho- wrote:
[bugtraq list quote]
After the program "/tmp/.bugtraq" starts running, it becomes a member of a
virtual network. Network members comunicate using UDP port 2002.
The program can, when instructed (using udp port 2002):
[/bugtraq list quote]
In 3 dias, about 1500 difere
On Sat, Sep 14, 2002 at 08:00:15PM +0200, Guille -bisho- wrote:
> In 3 dias, about 1500 diferent IP address tried to contact my machine at
> UDP port 2002. Fortunally i have iptables configured.
That's interesting. I haven't seen any traffic to udp port 2002 in the
past couple of days at all. T
On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote:
> I don't know if in the c-2 the worm works partially or fully. Anybody knows?
> It seems that the worm does not fully works on debian.
The exploit code in the newest worm has been tested against
0.9.6c-2.woody.0. It was not sucessfu
>> I have seen two Debian machines exploited with the -d version of
>> openssl, denoted by the the files:
>> /tmp/.bugtraq.c /tmp/.uubugtraq
>
>That's not surprising. OpenSSL 0.9.6d is vulnerable. However, in woody
>we have 0.9.6c-2.woody.0, whose most recent changelog entry is:
>
>openssl (0.9.
Michael Renzmann <[EMAIL PROTECTED]> writes:
> One thing that makes me wonder: after I wrote my first few lines about
> the attack on the rlx blade server that we experienced, someone gave a
> correct hint to the worm (describing it with some of its actions), and
> also mentioned a URL for the sou
>> There are two worms. One is old, one is new. The one at
>> http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via
>> UDP port 2002, though I'm not actually sure what data gets sent on that
>> port.
>
>Thanks for the information.
>
>I most probably have a tcpdump log of those p
On Sat, Sep 14, 2002 at 07:46:03PM +0200, Guille -bisho- wrote:
> I have seen two Debian machines exploited with the -d version of
> openssl, denoted by the the files:
> /tmp/.bugtraq.c /tmp/.uubugtraq
That's not surprising. OpenSSL 0.9.6d is vulnerable. However, in woody
we have 0.9.6c-2.woody
Hi Noah.
Noah L. Meyerhans wrote:
There are two worms. One is old, one is new. The one at
http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via
UDP port 2002, though I'm not actually sure what data gets sent on that
port.
Thanks for the information.
I most probably have a
>> Even through we are not mentioned are we vulnerable to this attack?
>
>Current rumours indicate that CAN-2002-0656 is exploited. DSA-136
>addresses this vulnerability:
>
>http://www.debian.org/security/2002/dsa-136
>
>I still have to see the worm, so I can't say for sure that you are
>safe, but
On Sat, Sep 14, 2002 at 07:24:06PM +0200, Michael Renzmann wrote:
> One thing that makes me wonder: after I wrote my first few lines about
> the attack on the rlx blade server that we experienced, someone gave a
> correct hint to the worm (describing it with some of its actions), and
> also ment
On Sat, 14 Sep 2002 at 12:56:00PM +0200, Wichert Akkerman wrote:
> One wonders why you would have gcc installed on a webserver..
To custom compile the kernel or other apps. Our web server has many roles
namely b/c we only have 5 IP addresses, we're running a masq network, and
2 websites. We simpl
Hi all.
As addition to my previous mail: the source is now available for
download at the following URL:
http://217.24.0.78/bugtraq.c.txt
One thing that makes me wonder: after I wrote my first few lines about
the attack on the rlx blade server that we experienced, someone gave a
correct hint
Hi all.
I still have to see the worm, so I can't say for sure that you are
safe, but it's a good time to update if you haven't done so. ;-)
I have the source of the worm at hands now, as well as a working binary
that has been placed on a server. Still interested in getting hands on
that thin
Is this the same vulnerability exploited bye the "Linux.Slapper.Worm"?
http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html
The reports openssl 0.9.6d and older are vulnerable, and woody seems to be
using 0.9.6.d.
Is DSA-126-1 openssl saying that this has been patched
On Sat, Sep 14, 2002 at 12:56:00PM +0200, Wichert Akkerman wrote:
> One wonders why you would have gcc installed on a webserver..
Look at places like he.net... They offer full unix environment hosting
services (including gcc).
On Sat, Sep 14, 2002 at 12:56:00PM +0200, Wichert Akkerman wrote:
> Previously Phillip Hofmeister wrote:
> > I am using RedHat 7.3 with Apache 1.3.23. Someone used the
> > program "bugtraq.c" to explore an modSSL buffer overflow to get access to
> > a shell. The attack creates a file named "/tmp/
Wichert Akkerman <[EMAIL PROTECTED]> writes:
> Previously Phillip Hofmeister wrote:
>> I am using RedHat 7.3 with Apache 1.3.23. Someone used the
>> program "bugtraq.c" to explore an modSSL buffer overflow to get access to
>> a shell. The attack creates a file named "/tmp/.bugtraq.c" and compile
Previously Phillip Hofmeister wrote:
> I am using RedHat 7.3 with Apache 1.3.23. Someone used the
> program "bugtraq.c" to explore an modSSL buffer overflow to get access to
> a shell. The attack creates a file named "/tmp/.bugtraq.c" and compiles it
> using gcc.
One wonders why you would have
23 matches
Mail list logo
