Re: Fwd: bugtraq.c httpd apache ssl attack
Previously Phillip Hofmeister wrote: I am using RedHat 7.3 with Apache 1.3.23. Someone used the program bugtraq.c to explore an modSSL buffer overflow to get access to a shell. The attack creates a file named /tmp/.bugtraq.c and compiles it using gcc. One wonders why you would have gcc installed on a webserver.. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.wiggy.net/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: Fwd: bugtraq.c httpd apache ssl attack
Wichert Akkerman [EMAIL PROTECTED] writes: Previously Phillip Hofmeister wrote: I am using RedHat 7.3 with Apache 1.3.23. Someone used the program bugtraq.c to explore an modSSL buffer overflow to get access to a shell. The attack creates a file named /tmp/.bugtraq.c and compiles it using gcc. One wonders why you would have gcc installed on a webserver.. Quite so. Never used to happen in my day ;) Another idea that might help lessen the impact of this silly mess: iptables -A OUTPUT -p udp --dport 53.. ACCEPT iptables -A OUTPUT -p udp --dport 123 . ACCEPT iptables -A OUTPUT -p udp -j outlog #The output logging rule iptables -A outlog -j LOG -m limit \ --limit 3 --limit-burst 5 \ --log-prefix catch-all:(out) iptables -A outlog -j DROP i.e., allow useful UDP like 53 and 123 with whatever your normal accept rules are, and then limit everything else and drop stuff that goes over- limits, with a useful log message to say what's happened. $0.02, ~Tim -- http://spodzone.org.uk/
Re: [d-security] Re: Fwd: bugtraq.c httpd apache ssl attack
On Sat, Sep 14, 2002 at 12:56:00PM +0200, Wichert Akkerman wrote: Previously Phillip Hofmeister wrote: I am using RedHat 7.3 with Apache 1.3.23. Someone used the program bugtraq.c to explore an modSSL buffer overflow to get access to a shell. The attack creates a file named /tmp/.bugtraq.c and compiles it using gcc. One wonders why you would have gcc installed on a webserver.. /me too, Perl can do everything you need and is even Priority: required. (Wanted to say that having installed gcc/nc/tcpdump/etc. or not is not much of a difference. You always find a way to transfer arbitrary data once you're root on the system. Writing a simple php page that acts as your command center and saves files is only one way.) bye, -christian-
Re: Fwd: bugtraq.c httpd apache ssl attack
On Sat, Sep 14, 2002 at 12:56:00PM +0200, Wichert Akkerman wrote: One wonders why you would have gcc installed on a webserver.. Look at places like he.net... They offer full unix environment hosting services (including gcc).
Re: Fwd: bugtraq.c httpd apache ssl attack
Is this the same vulnerability exploited bye the Linux.Slapper.Worm? http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html The reports openssl 0.9.6d and older are vulnerable, and woody seems to be using 0.9.6.d. Is DSA-126-1 openssl saying that this has been patched in the woody debian binarys? http://www.debian.org/security/2002/dsa-136 Thanks, David. On Fri, 13 Sep 2002, Florian Weimer wrote: Phillip Hofmeister [EMAIL PROTECTED] writes: Even through we are not mentioned are we vulnerable to this attack? Current rumours indicate that CAN-2002-0656 is exploited. DSA-136 addresses this vulnerability: http://www.debian.org/security/2002/dsa-136 I still have to see the worm, so I can't say for sure that you are safe, but it's a good time to update if you haven't done so. ;-) -- Florian Weimer [EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: bugtraq.c httpd apache ssl attack
Hi all. I still have to see the worm, so I can't say for sure that you are safe, but it's a good time to update if you haven't done so. ;-) I have the source of the worm at hands now, as well as a working binary that has been placed on a server. Still interested in getting hands on that thingy? :) Bye, Mike
Re: Fwd: bugtraq.c httpd apache ssl attack
Hi all. As addition to my previous mail: the source is now available for download at the following URL: http://217.24.0.78/bugtraq.c.txt One thing that makes me wonder: after I wrote my first few lines about the attack on the rlx blade server that we experienced, someone gave a correct hint to the worm (describing it with some of its actions), and also mentioned a URL for the source code of the worm. When looking at that source (http://dammit.lt/apache-worm/apache-worm.c) it is quite obviously that our source is totally different. Is there a second variant of the worm, or is this another worm using the same exploit? Bye, Mike
Re: Fwd: bugtraq.c httpd apache ssl attack
On Sat, 14 Sep 2002 at 12:56:00PM +0200, Wichert Akkerman wrote: One wonders why you would have gcc installed on a webserver.. To custom compile the kernel or other apps. Our web server has many roles namely b/c we only have 5 IP addresses, we're running a masq network, and 2 websites. We simply don't have enough IP addresses (or computers) to have 1 box per service... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP
Re: Fwd: bugtraq.c httpd apache ssl attack
On Sat, Sep 14, 2002 at 07:24:06PM +0200, Michael Renzmann wrote: One thing that makes me wonder: after I wrote my first few lines about the attack on the rlx blade server that we experienced, someone gave a correct hint to the worm (describing it with some of its actions), and also mentioned a URL for the source code of the worm. When looking at that source (http://dammit.lt/apache-worm/apache-worm.c) it is quite obviously that our source is totally different. Is there a second variant of the worm, or is this another worm using the same exploit? There are two worms. One is old, one is new. The one at http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via UDP port 2002, though I'm not actually sure what data gets sent on that port. The old worm used UDP port 2001, and showed up shortly after the original OpenSSL vulnerability in late July. Its source is at http://dammit.lt/apache-worm/apache-worm.c These worms both exploit the same OpenSSL bug. woody is not vulnerable to this exploit if you're using the latest openssl packages from security.debian.org. If you haven't restarted Apache since updating those packages, though, your Apache process is still linked against the old libraries and is therefore still vulnerable. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp69whWQa8Do.pgp Description: PGP signature
Re: Fwd: bugtraq.c httpd apache ssl attack
Even through we are not mentioned are we vulnerable to this attack? Current rumours indicate that CAN-2002-0656 is exploited. DSA-136 addresses this vulnerability: http://www.debian.org/security/2002/dsa-136 I still have to see the worm, so I can't say for sure that you are safe, but it's a good time to update if you haven't done so. ;-) I have seen two Debian machines exploited with the -d version of openssl, denoted by the the files: /tmp/.bugtraq.c /tmp/.uubugtraq It seems that the worm not fully exploit debian, because the DOS program was not compiled and running (and gcc was installed on one of the . Another redhat machine was exploited and has the /tmp/.bugtraq.c compiled and running. Anyway, updating its a priority, because the worm could be improved to succesfully exploit debian. -- .,,, Guillermo Pérez-=] 14/09/2002 [=- _' . - bisho@ ( onirica.com | eurielec.etsit.upm.es ) (v)/ ,'' ( \/:: Las personas no son recursos humanos. No los :: bisho! ``\\ :: rebajemos a ladrillos.::
Re: Fwd: bugtraq.c httpd apache ssl attack
Hi Noah. Noah L. Meyerhans wrote: There are two worms. One is old, one is new. The one at http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via UDP port 2002, though I'm not actually sure what data gets sent on that port. Thanks for the information. I most probably have a tcpdump log of those packets (hopefully). I'm still trying to get it here, but I'm not sure if the log still exists. It has been done yesterday during the attack on an intermediate linux router box. Bye, Mike
Re: Fwd: bugtraq.c httpd apache ssl attack
On Sat, Sep 14, 2002 at 07:46:03PM +0200, Guille -bisho- wrote: I have seen two Debian machines exploited with the -d version of openssl, denoted by the the files: /tmp/.bugtraq.c /tmp/.uubugtraq That's not surprising. OpenSSL 0.9.6d is vulnerable. However, in woody we have 0.9.6c-2.woody.0, whose most recent changelog entry is: openssl (0.9.6c-2.woody.0) stable-security; urgency=low * SECURITY: patch for various overflows (upstream security patch 0.9.6d-0.9.6e) -- Michael Stone [EMAIL PROTECTED] Mon, 29 Jul 2002 21:34:41 -0400 So if you were running the 0.9.6d on your Debian box, it's probably because you are running testing (since 'd' was never part of woody), which we all know is a bad idea if you want to keep it secure. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp1KSZA1nZT5.pgp Description: PGP signature
Re: Fwd: bugtraq.c httpd apache ssl attack
There are two worms. One is old, one is new. The one at http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via UDP port 2002, though I'm not actually sure what data gets sent on that port. Thanks for the information. I most probably have a tcpdump log of those packets (hopefully). I'm still trying to get it here, but I'm not sure if the log still exists. It has been done yesterday during the attack on an intermediate linux router box. That was sent to bugtrzq about the second worm that uses port 2002: From:Fernando Nunes [EMAIL PROTECTED] To: bugtraq@securityfocus.com Subject: Re: bugtraq.c httpd apache ssl attack Date:13 Sep 2002 23:30:04 - After the program /tmp/.bugtraq starts running, it becomes a member of a virtual network. Network members comunicate using UDP port 2002. The program can, when instructed (using udp port 2002): - Execute arbitrary commands on the machines - Route messages to other machines in the virtual network - Execute Tcp flood attacks - IPv6 Tcp flood - Dns flood attacks - Email scan (Search in every machine file for emain addresses) - etc In 3 dias, about 1500 diferent IP address tried to contact my machine at UDP port 2002. Fortunally i have iptables configured. -- _ Guillermo Pérez-=] 14/09/2002 [=- ·) - bisho@ ( onirica.com | eurielec.etsit.upm.es ) ( \ bisho! \\ ::Apache: 18.069.603 Servidores 62.24%. Mayo 2001 ::
Re: Fwd: bugtraq.c httpd apache ssl attack
On Sat, Sep 14, 2002 at 08:00:15PM +0200, Guille -bisho- wrote: In 3 dias, about 1500 diferent IP address tried to contact my machine at UDP port 2002. Fortunally i have iptables configured. That's interesting. I haven't seen any traffic to udp port 2002 in the past couple of days at all. The worm uses the following code to pick targets at random: if (d == 255) { if (c == 255) { a=classes[rand()%(sizeof classes)]; b=rand(); c=0; } else c++; d=0; } I find it hard to believe that 1500 different hosts randomly chose your machine, while 0 randomly chose any of mine. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpWTvyyht5Pt.pgp Description: PGP signature
Re: Fwd: bugtraq.c httpd apache ssl attack
Hi. Guille -bisho- wrote: [bugtraq list quote] After the program /tmp/.bugtraq starts running, it becomes a member of a virtual network. Network members comunicate using UDP port 2002. The program can, when instructed (using udp port 2002): [/bugtraq list quote] In 3 dias, about 1500 diferent IP address tried to contact my machine at UDP port 2002. Fortunally i have iptables configured. We experienced the same here. The peak was at about 4 MBit/s traffic which was the limit of the line the server is connected to. Now, after the bugtraq-process is not running anymore for longer than 24 hours still packets for port 2002 are fired against the server's ip address. I guess that the client implements some kind of cache for addresses of infected servers so that they can be contacted for giving them new orders. Maybe our ip is still in the cache. Any idea about the outgoing connections to port 80? We noticed that the bugtraq-process systematically tries to connect to port 80 in an ip block, and it keeps trying and trying, incrementing the ip addresses by one per step (1.2.3.4, 1.2.3.5, 1.2.3.6, and so on). We could not find out what is done with this connection, nor what the purpose of this scan is. Bye, Mike
Re: Fwd: bugtraq.c httpd apache ssl attack
Hi. Noah L. Meyerhans wrote: In 3 dias, about 1500 diferent IP address tried to contact my machine at UDP port 2002. Fortunally i have iptables configured. That's interesting. I haven't seen any traffic to udp port 2002 in the past couple of days at all. The worm uses the following code to pick targets at random: [...] I find it hard to believe that 1500 different hosts randomly chose your machine, while 0 randomly chose any of mine. As described in another mail: I can confirm that there was (and still is) a *huge* packet storm against port 2002 on the infected machine that I found. Even after cleaning the machine up (removing .bugtraq and closing the hole) they are bouncing in (or try to, they get smashed at the firewall). Bye, Mike
Re: Fwd: bugtraq.c httpd apache ssl attack
On Sat, Sep 14, 2002 at 08:14:56PM +0200, Michael Renzmann wrote: Any idea about the outgoing connections to port 80? We noticed that the bugtraq-process systematically tries to connect to port 80 in an ip block, and it keeps trying and trying, incrementing the ip addresses by one per step (1.2.3.4, 1.2.3.5, 1.2.3.6, and so on). We could not find out what is done with this connection, nor what the purpose of this scan is. It seems like it tries connecting to port 80 via the GetAddress function to determine if a host is running Apache on the standard http port. The target host must be running Apache on port 80 in order for the worm to even consider making an https connection to it. See the following code from the exploit() routine: if ((a=GetAddress(ip)) == NULL) exit(0); if (strncmp(a,Apache,6)) exit(0); It then proceeds to go off and initiate 20 connections to the https port and attempts to exploit the OpenSSL vulnerability. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0HHS5COeOI.pgp Description: PGP signature
bugtraq.c httpd apache ssl attack
Is this log evidence of our worm? [Fri Sep 13 23:46:29 2002] [error] mod_ssl: SSL handshake failed (server www.zionlth.org:443, client 195.34.113.130) (OpenSSL library error follows) [Fri Sep 13 23:46:30 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long [Sat Sep 14 04:11:02 2002] [error] mod_ssl: SSL handshake failed (server www.zionlth.org:443, client 209.217.161.130) (OpenSSL library error follows) [Sat Sep 14 04:11:02 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long Regards, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP
Re: bugtraq.c httpd apache ssl attack
Hi. Phillip Hofmeister wrote: Is this log evidence of our worm? Not exactly. Here is the log of our machine that has been attacked: === cut === [Fri Sep 13 00:45:44 2002] [error] [client 210.243.234.135] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Fri Sep 13 00:46:04 2002] [error] mod_ssl: SSL handshake failed (server localhost:443, client 210.243.234.135) (OpenSSL library error follows ) [Fri Sep 13 00:46:04 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different [Fri Sep 13 00:50:47 2002] [error] mod_ssl: SSL handshake timed out (client 210.243.234.135, server localhost:443) (the last message was repeated for 20 times, telling about the timeout of every of the 20 connections to the https-port the worm opens after finding a running webserver on port 80) === cut === The given IP address (210. ...) was the address that the bugtraq-program was given as some kind of uplink server address. Bye, Mike
Re: Fwd: bugtraq.c httpd apache ssl attack
On Sat, Sep 14, 2002 at 01:41:06PM -0400, Noah L. Meyerhans wrote: There are two worms. One is old, one is new. The one at http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via UDP port 2002, though I'm not actually sure what data gets sent on that port. The old worm used UDP port 2001, and showed up shortly after the original OpenSSL vulnerability in late July. Its source is at http://dammit.lt/apache-worm/apache-worm.c Ah, I wondered what it was. I've been seeing that port getting battered upon since at least last night that I noticed. Thanks for the info. I've blocked it going into an ISP I watch over.