On Tue, Sep 17, 2002 at 06:35:52PM +0200, Michael Renzmann wrote:
> Hi Florian.
>
> Florian Weimer wrote:
> >If you want to do your own tests (without fooling around with the
> >worm), you can use our tool:
> >
> >http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
>
> Great tool, th
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
The website of the RUS-CERT mentions in the description of the worm:
"Bei ver
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:
> On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote:
>> I don't know if in the c-2 the worm works partially or fully. Anybody knows?
>> It seems that the worm does not fully works on debian.
>
> The exploit code in the newest worm has be
On Tue, Sep 17, 2002 at 06:35:52PM +0200, Michael Renzmann wrote:
> Hi Florian.
>
> Florian Weimer wrote:
> >If you want to do your own tests (without fooling around with the
> >worm), you can use our tool:
> >
> >http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
>
> Great tool, t
Hi Florian.
Florian Weimer wrote:
> If you want to do your own tests (without fooling around with the
> worm), you can use our tool:
>
> http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
The website of the RUS-CERT mentions in the description of the worm:
"B
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:
> On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote:
>> I don't know if in the c-2 the worm works partially or fully. Anybody knows?
>> It seems that the worm does not fully works on debian.
>
> The exploit code in the newest worm has b
On Sat, Sep 14, 2002 at 01:41:06PM -0400, Noah L. Meyerhans wrote:
> There are two worms. One is old, one is new. The one at
> http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via
> UDP port 2002, though I'm not actually sure what data gets sent on that
> port. The old worm use
On Sat, Sep 14, 2002 at 08:14:56PM +0200, Michael Renzmann wrote:
> Any idea about the outgoing connections to port 80? We noticed that the
> bugtraq-process systematically tries to connect to port 80 in an ip
> block, and it keeps trying and trying, incrementing the ip addresses by
> one per st
Hi.
Noah L. Meyerhans wrote:
In 3 dias, about 1500 diferent IP address tried to contact my machine at
UDP port 2002. Fortunally i have iptables configured.
That's interesting. I haven't seen any traffic to udp port 2002 in the
past couple of days at all. The worm uses the following code to pi
Hi.
Guille -bisho- wrote:
[bugtraq list quote]
After the program "/tmp/.bugtraq" starts running, it becomes a member of a
virtual network. Network members comunicate using UDP port 2002.
The program can, when instructed (using udp port 2002):
[/bugtraq list quote]
In 3 dias, about 1500 difere
On Sat, Sep 14, 2002 at 08:00:15PM +0200, Guille -bisho- wrote:
> In 3 dias, about 1500 diferent IP address tried to contact my machine at
> UDP port 2002. Fortunally i have iptables configured.
That's interesting. I haven't seen any traffic to udp port 2002 in the
past couple of days at all. T
On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote:
> I don't know if in the c-2 the worm works partially or fully. Anybody knows?
> It seems that the worm does not fully works on debian.
The exploit code in the newest worm has been tested against
0.9.6c-2.woody.0. It was not sucessfu
>> I have seen two Debian machines exploited with the -d version of
>> openssl, denoted by the the files:
>> /tmp/.bugtraq.c /tmp/.uubugtraq
>
>That's not surprising. OpenSSL 0.9.6d is vulnerable. However, in woody
>we have 0.9.6c-2.woody.0, whose most recent changelog entry is:
>
>openssl (0.9.
Michael Renzmann <[EMAIL PROTECTED]> writes:
> One thing that makes me wonder: after I wrote my first few lines about
> the attack on the rlx blade server that we experienced, someone gave a
> correct hint to the worm (describing it with some of its actions), and
> also mentioned a URL for the sou
>> There are two worms. One is old, one is new. The one at
>> http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via
>> UDP port 2002, though I'm not actually sure what data gets sent on that
>> port.
>
>Thanks for the information.
>
>I most probably have a tcpdump log of those p
On Sat, Sep 14, 2002 at 07:46:03PM +0200, Guille -bisho- wrote:
> I have seen two Debian machines exploited with the -d version of
> openssl, denoted by the the files:
> /tmp/.bugtraq.c /tmp/.uubugtraq
That's not surprising. OpenSSL 0.9.6d is vulnerable. However, in woody
we have 0.9.6c-2.woody
Hi Noah.
Noah L. Meyerhans wrote:
There are two worms. One is old, one is new. The one at
http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via
UDP port 2002, though I'm not actually sure what data gets sent on that
port.
Thanks for the information.
I most probably have a
>> Even through we are not mentioned are we vulnerable to this attack?
>
>Current rumours indicate that CAN-2002-0656 is exploited. DSA-136
>addresses this vulnerability:
>
>http://www.debian.org/security/2002/dsa-136
>
>I still have to see the worm, so I can't say for sure that you are
>safe, but
On Sat, Sep 14, 2002 at 07:24:06PM +0200, Michael Renzmann wrote:
> One thing that makes me wonder: after I wrote my first few lines about
> the attack on the rlx blade server that we experienced, someone gave a
> correct hint to the worm (describing it with some of its actions), and
> also ment
On Sat, 14 Sep 2002 at 12:56:00PM +0200, Wichert Akkerman wrote:
> One wonders why you would have gcc installed on a webserver..
To custom compile the kernel or other apps. Our web server has many roles
namely b/c we only have 5 IP addresses, we're running a masq network, and
2 websites. We simpl
Hi all.
As addition to my previous mail: the source is now available for
download at the following URL:
http://217.24.0.78/bugtraq.c.txt
One thing that makes me wonder: after I wrote my first few lines about
the attack on the rlx blade server that we experienced, someone gave a
correct hint
Hi all.
I still have to see the worm, so I can't say for sure that you are
safe, but it's a good time to update if you haven't done so. ;-)
I have the source of the worm at hands now, as well as a working binary
that has been placed on a server. Still interested in getting hands on
that thin
Is this the same vulnerability exploited bye the "Linux.Slapper.Worm"?
http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html
The reports openssl 0.9.6d and older are vulnerable, and woody seems to be
using 0.9.6.d.
Is DSA-126-1 openssl saying that this has been patched
On Sat, Sep 14, 2002 at 12:56:00PM +0200, Wichert Akkerman wrote:
> One wonders why you would have gcc installed on a webserver..
Look at places like he.net... They offer full unix environment hosting
services (including gcc).
On Sat, Sep 14, 2002 at 12:56:00PM +0200, Wichert Akkerman wrote:
> Previously Phillip Hofmeister wrote:
> > I am using RedHat 7.3 with Apache 1.3.23. Someone used the
> > program "bugtraq.c" to explore an modSSL buffer overflow to get access to
> > a shell. The attack creates a file named "/tmp/
Wichert Akkerman <[EMAIL PROTECTED]> writes:
> Previously Phillip Hofmeister wrote:
>> I am using RedHat 7.3 with Apache 1.3.23. Someone used the
>> program "bugtraq.c" to explore an modSSL buffer overflow to get access to
>> a shell. The attack creates a file named "/tmp/.bugtraq.c" and compile
Previously Phillip Hofmeister wrote:
> I am using RedHat 7.3 with Apache 1.3.23. Someone used the
> program "bugtraq.c" to explore an modSSL buffer overflow to get access to
> a shell. The attack creates a file named "/tmp/.bugtraq.c" and compiles it
> using gcc.
One wonders why you would have
Phillip Hofmeister <[EMAIL PROTECTED]> writes:
> Even through we are not mentioned are we vulnerable to this attack?
Current rumours indicate that CAN-2002-0656 is exploited. DSA-136
addresses this vulnerability:
http://www.debian.org/security/2002/dsa-136
I still have to see the worm, so I ca
Even through we are not mentioned are we vulnerable to this attack?
- Forwarded message from Fernando Nunes <[EMAIL PROTECTED]> -
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Fri, 13 Sep 2002 13:20:23 -0400
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
List-Id:
29 matches
Mail list logo