Noah L. Meyerhans [EMAIL PROTECTED] writes:
On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote:
I don't know if in the c-2 the worm works partially or fully. Anybody knows?
It seems that the worm does not fully works on debian.
The exploit code in the newest worm has been tested
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
The website of the RUS-CERT mentions in the description of the worm:
Bei
On Tue, Sep 17, 2002 at 06:35:52PM +0200, Michael Renzmann wrote:
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
Noah L. Meyerhans [EMAIL PROTECTED] writes:
On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote:
I don't know if in the c-2 the worm works partially or fully. Anybody knows?
It seems that the worm does not fully works on debian.
The exploit code in the newest worm has been tested
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
The website of the RUS-CERT mentions in the description of the worm:
Bei
On Tue, Sep 17, 2002 at 06:35:52PM +0200, Michael Renzmann wrote:
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
Phillip Hofmeister [EMAIL PROTECTED] writes:
Is this log evidence of our worm?
[Fri Sep 13 23:46:29 2002] [error] mod_ssl: SSL handshake failed (server
www.zionlth.org:443, client 195.34.113.130) (OpenSSL library error follows)
[Fri Sep 13 23:46:30 2002] [error] OpenSSL: error:1406B458:SSL
Previously Phillip Hofmeister wrote:
I am using RedHat 7.3 with Apache 1.3.23. Someone used the
program bugtraq.c to explore an modSSL buffer overflow to get access to
a shell. The attack creates a file named /tmp/.bugtraq.c and compiles it
using gcc.
One wonders why you would have gcc
Wichert Akkerman [EMAIL PROTECTED] writes:
Previously Phillip Hofmeister wrote:
I am using RedHat 7.3 with Apache 1.3.23. Someone used the
program bugtraq.c to explore an modSSL buffer overflow to get access to
a shell. The attack creates a file named /tmp/.bugtraq.c and compiles it
using
On Sat, Sep 14, 2002 at 12:56:00PM +0200, Wichert Akkerman wrote:
Previously Phillip Hofmeister wrote:
I am using RedHat 7.3 with Apache 1.3.23. Someone used the
program bugtraq.c to explore an modSSL buffer overflow to get access to
a shell. The attack creates a file named
On Sat, Sep 14, 2002 at 12:56:00PM +0200, Wichert Akkerman wrote:
One wonders why you would have gcc installed on a webserver..
Look at places like he.net... They offer full unix environment hosting
services (including gcc).
Is this the same vulnerability exploited bye the Linux.Slapper.Worm?
http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html
The reports openssl 0.9.6d and older are vulnerable, and woody seems to be
using 0.9.6.d.
Is DSA-126-1 openssl saying that this has been patched
Hi all.
I still have to see the worm, so I can't say for sure that you are
safe, but it's a good time to update if you haven't done so. ;-)
I have the source of the worm at hands now, as well as a working binary
that has been placed on a server. Still interested in getting hands on
that
Hi all.
As addition to my previous mail: the source is now available for
download at the following URL:
http://217.24.0.78/bugtraq.c.txt
One thing that makes me wonder: after I wrote my first few lines about
the attack on the rlx blade server that we experienced, someone gave a
correct
On Sat, 14 Sep 2002 at 12:56:00PM +0200, Wichert Akkerman wrote:
One wonders why you would have gcc installed on a webserver..
To custom compile the kernel or other apps. Our web server has many roles
namely b/c we only have 5 IP addresses, we're running a masq network, and
2 websites. We
On Sat, Sep 14, 2002 at 07:24:06PM +0200, Michael Renzmann wrote:
One thing that makes me wonder: after I wrote my first few lines about
the attack on the rlx blade server that we experienced, someone gave a
correct hint to the worm (describing it with some of its actions), and
also
Even through we are not mentioned are we vulnerable to this attack?
Current rumours indicate that CAN-2002-0656 is exploited. DSA-136
addresses this vulnerability:
http://www.debian.org/security/2002/dsa-136
I still have to see the worm, so I can't say for sure that you are
safe, but it's a
Hi Noah.
Noah L. Meyerhans wrote:
There are two worms. One is old, one is new. The one at
http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via
UDP port 2002, though I'm not actually sure what data gets sent on that
port.
Thanks for the information.
I most probably have a
On Sat, Sep 14, 2002 at 07:46:03PM +0200, Guille -bisho- wrote:
I have seen two Debian machines exploited with the -d version of
openssl, denoted by the the files:
/tmp/.bugtraq.c /tmp/.uubugtraq
That's not surprising. OpenSSL 0.9.6d is vulnerable. However, in woody
we have
]
To: bugtraq@securityfocus.com
Subject: Re: bugtraq.c httpd apache ssl attack
Date:13 Sep 2002 23:30:04 -
After the program /tmp/.bugtraq starts running, it becomes a member of a
virtual network. Network members comunicate using UDP port 2002.
The program can, when
On Sat, Sep 14, 2002 at 08:00:15PM +0200, Guille -bisho- wrote:
In 3 dias, about 1500 diferent IP address tried to contact my machine at
UDP port 2002. Fortunally i have iptables configured.
That's interesting. I haven't seen any traffic to udp port 2002 in the
past couple of days at all.
Hi.
Guille -bisho- wrote:
[bugtraq list quote]
After the program /tmp/.bugtraq starts running, it becomes a member of a
virtual network. Network members comunicate using UDP port 2002.
The program can, when instructed (using udp port 2002):
[/bugtraq list quote]
In 3 dias, about 1500
Hi.
Noah L. Meyerhans wrote:
In 3 dias, about 1500 diferent IP address tried to contact my machine at
UDP port 2002. Fortunally i have iptables configured.
That's interesting. I haven't seen any traffic to udp port 2002 in the
past couple of days at all. The worm uses the following code to
On Sat, Sep 14, 2002 at 08:14:56PM +0200, Michael Renzmann wrote:
Any idea about the outgoing connections to port 80? We noticed that the
bugtraq-process systematically tries to connect to port 80 in an ip
block, and it keeps trying and trying, incrementing the ip addresses by
one per step
Is this log evidence of our worm?
[Fri Sep 13 23:46:29 2002] [error] mod_ssl: SSL handshake failed (server
www.zionlth.org:443, client 195.34.113.130) (OpenSSL library error follows)
[Fri Sep 13 23:46:30 2002] [error] OpenSSL: error:1406B458:SSL
routines:GET_CLIENT_MASTER_KEY:key arg too long
Hi.
Phillip Hofmeister wrote:
Is this log evidence of our worm?
Not exactly. Here is the log of our machine that has been attacked:
=== cut ===
[Fri Sep 13 00:45:44 2002] [error] [client 210.243.234.135] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Fri Sep 13
On Sat, Sep 14, 2002 at 01:41:06PM -0400, Noah L. Meyerhans wrote:
There are two worms. One is old, one is new. The one at
http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via
UDP port 2002, though I'm not actually sure what data gets sent on that
port. The old worm used
@securityfocus.com
Date: 13 Sep 2002 13:55:17 -
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: Fernando Nunes [EMAIL PROTECTED]
To: bugtraq@securityfocus.com
Subject: bugtraq.c httpd apache ssl attack
I am using RedHat 7.3 with Apache 1.3.23. Someone used the
program bugtraq.c to explore an modSSL buffer
Phillip Hofmeister [EMAIL PROTECTED] writes:
Even through we are not mentioned are we vulnerable to this attack?
Current rumours indicate that CAN-2002-0656 is exploited. DSA-136
addresses this vulnerability:
http://www.debian.org/security/2002/dsa-136
I still have to see the worm, so I
29 matches
Mail list logo
