Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-17 Thread Florian Weimer
Noah L. Meyerhans [EMAIL PROTECTED] writes: On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote: I don't know if in the c-2 the worm works partially or fully. Anybody knows? It seems that the worm does not fully works on debian. The exploit code in the newest worm has been tested

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-17 Thread Michael Renzmann
Hi Florian. Florian Weimer wrote: If you want to do your own tests (without fooling around with the worm), you can use our tool: http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php Great tool, thanks. The website of the RUS-CERT mentions in the description of the worm: Bei

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-17 Thread Dale Amon
On Tue, Sep 17, 2002 at 06:35:52PM +0200, Michael Renzmann wrote: Hi Florian. Florian Weimer wrote: If you want to do your own tests (without fooling around with the worm), you can use our tool: http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php Great tool, thanks.

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-17 Thread Florian Weimer
Noah L. Meyerhans [EMAIL PROTECTED] writes: On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote: I don't know if in the c-2 the worm works partially or fully. Anybody knows? It seems that the worm does not fully works on debian. The exploit code in the newest worm has been tested

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-17 Thread Michael Renzmann
Hi Florian. Florian Weimer wrote: If you want to do your own tests (without fooling around with the worm), you can use our tool: http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php Great tool, thanks. The website of the RUS-CERT mentions in the description of the worm: Bei

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-17 Thread Dale Amon
On Tue, Sep 17, 2002 at 06:35:52PM +0200, Michael Renzmann wrote: Hi Florian. Florian Weimer wrote: If you want to do your own tests (without fooling around with the worm), you can use our tool: http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php Great tool, thanks.

Re: bugtraq.c httpd apache ssl attack

2002-09-15 Thread Florian Weimer
Phillip Hofmeister [EMAIL PROTECTED] writes: Is this log evidence of our worm? [Fri Sep 13 23:46:29 2002] [error] mod_ssl: SSL handshake failed (server www.zionlth.org:443, client 195.34.113.130) (OpenSSL library error follows) [Fri Sep 13 23:46:30 2002] [error] OpenSSL: error:1406B458:SSL

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Wichert Akkerman
Previously Phillip Hofmeister wrote: I am using RedHat 7.3 with Apache 1.3.23. Someone used the program bugtraq.c to explore an modSSL buffer overflow to get access to a shell. The attack creates a file named /tmp/.bugtraq.c and compiles it using gcc. One wonders why you would have gcc

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Tim Haynes
Wichert Akkerman [EMAIL PROTECTED] writes: Previously Phillip Hofmeister wrote: I am using RedHat 7.3 with Apache 1.3.23. Someone used the program bugtraq.c to explore an modSSL buffer overflow to get access to a shell. The attack creates a file named /tmp/.bugtraq.c and compiles it using

Re: [d-security] Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Christian Hammers
On Sat, Sep 14, 2002 at 12:56:00PM +0200, Wichert Akkerman wrote: Previously Phillip Hofmeister wrote: I am using RedHat 7.3 with Apache 1.3.23. Someone used the program bugtraq.c to explore an modSSL buffer overflow to get access to a shell. The attack creates a file named

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread valerian
On Sat, Sep 14, 2002 at 12:56:00PM +0200, Wichert Akkerman wrote: One wonders why you would have gcc installed on a webserver.. Look at places like he.net... They offer full unix environment hosting services (including gcc).

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread David Ehle
Is this the same vulnerability exploited bye the Linux.Slapper.Worm? http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html The reports openssl 0.9.6d and older are vulnerable, and woody seems to be using 0.9.6.d. Is DSA-126-1 openssl saying that this has been patched

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Michael Renzmann
Hi all. I still have to see the worm, so I can't say for sure that you are safe, but it's a good time to update if you haven't done so. ;-) I have the source of the worm at hands now, as well as a working binary that has been placed on a server. Still interested in getting hands on that

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Michael Renzmann
Hi all. As addition to my previous mail: the source is now available for download at the following URL: http://217.24.0.78/bugtraq.c.txt One thing that makes me wonder: after I wrote my first few lines about the attack on the rlx blade server that we experienced, someone gave a correct

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Phillip Hofmeister
On Sat, 14 Sep 2002 at 12:56:00PM +0200, Wichert Akkerman wrote: One wonders why you would have gcc installed on a webserver.. To custom compile the kernel or other apps. Our web server has many roles namely b/c we only have 5 IP addresses, we're running a masq network, and 2 websites. We

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Noah L. Meyerhans
On Sat, Sep 14, 2002 at 07:24:06PM +0200, Michael Renzmann wrote: One thing that makes me wonder: after I wrote my first few lines about the attack on the rlx blade server that we experienced, someone gave a correct hint to the worm (describing it with some of its actions), and also

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Guille -bisho-
Even through we are not mentioned are we vulnerable to this attack? Current rumours indicate that CAN-2002-0656 is exploited. DSA-136 addresses this vulnerability: http://www.debian.org/security/2002/dsa-136 I still have to see the worm, so I can't say for sure that you are safe, but it's a

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Michael Renzmann
Hi Noah. Noah L. Meyerhans wrote: There are two worms. One is old, one is new. The one at http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via UDP port 2002, though I'm not actually sure what data gets sent on that port. Thanks for the information. I most probably have a

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Noah L. Meyerhans
On Sat, Sep 14, 2002 at 07:46:03PM +0200, Guille -bisho- wrote: I have seen two Debian machines exploited with the -d version of openssl, denoted by the the files: /tmp/.bugtraq.c /tmp/.uubugtraq That's not surprising. OpenSSL 0.9.6d is vulnerable. However, in woody we have

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Guille -bisho-
] To: bugtraq@securityfocus.com Subject: Re: bugtraq.c httpd apache ssl attack Date:13 Sep 2002 23:30:04 - After the program /tmp/.bugtraq starts running, it becomes a member of a virtual network. Network members comunicate using UDP port 2002. The program can, when

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Noah L. Meyerhans
On Sat, Sep 14, 2002 at 08:00:15PM +0200, Guille -bisho- wrote: In 3 dias, about 1500 diferent IP address tried to contact my machine at UDP port 2002. Fortunally i have iptables configured. That's interesting. I haven't seen any traffic to udp port 2002 in the past couple of days at all.

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Michael Renzmann
Hi. Guille -bisho- wrote: [bugtraq list quote] After the program /tmp/.bugtraq starts running, it becomes a member of a virtual network. Network members comunicate using UDP port 2002. The program can, when instructed (using udp port 2002): [/bugtraq list quote] In 3 dias, about 1500

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Michael Renzmann
Hi. Noah L. Meyerhans wrote: In 3 dias, about 1500 diferent IP address tried to contact my machine at UDP port 2002. Fortunally i have iptables configured. That's interesting. I haven't seen any traffic to udp port 2002 in the past couple of days at all. The worm uses the following code to

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Noah L. Meyerhans
On Sat, Sep 14, 2002 at 08:14:56PM +0200, Michael Renzmann wrote: Any idea about the outgoing connections to port 80? We noticed that the bugtraq-process systematically tries to connect to port 80 in an ip block, and it keeps trying and trying, incrementing the ip addresses by one per step

bugtraq.c httpd apache ssl attack

2002-09-14 Thread Phillip Hofmeister
Is this log evidence of our worm? [Fri Sep 13 23:46:29 2002] [error] mod_ssl: SSL handshake failed (server www.zionlth.org:443, client 195.34.113.130) (OpenSSL library error follows) [Fri Sep 13 23:46:30 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long

Re: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Michael Renzmann
Hi. Phillip Hofmeister wrote: Is this log evidence of our worm? Not exactly. Here is the log of our machine that has been attacked: === cut === [Fri Sep 13 00:45:44 2002] [error] [client 210.243.234.135] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Fri Sep 13

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-14 Thread Dale Amon
On Sat, Sep 14, 2002 at 01:41:06PM -0400, Noah L. Meyerhans wrote: There are two worms. One is old, one is new. The one at http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via UDP port 2002, though I'm not actually sure what data gets sent on that port. The old worm used

Fwd: bugtraq.c httpd apache ssl attack

2002-09-13 Thread Phillip Hofmeister
@securityfocus.com Date: 13 Sep 2002 13:55:17 - X-Mailer: MIME-tools 5.411 (Entity 5.404) From: Fernando Nunes [EMAIL PROTECTED] To: bugtraq@securityfocus.com Subject: bugtraq.c httpd apache ssl attack I am using RedHat 7.3 with Apache 1.3.23. Someone used the program bugtraq.c to explore an modSSL buffer

Re: Fwd: bugtraq.c httpd apache ssl attack

2002-09-13 Thread Florian Weimer
Phillip Hofmeister [EMAIL PROTECTED] writes: Even through we are not mentioned are we vulnerable to this attack? Current rumours indicate that CAN-2002-0656 is exploited. DSA-136 addresses this vulnerability: http://www.debian.org/security/2002/dsa-136 I still have to see the worm, so I