[PLUG] [da at securityfocus.com: Re: OpenSSL worm in the wild]

Stafford A. Rau srau at rauhaus.org
Fri Sep 13 19:45:38 UTC 2002


Here's more on the ssl worm, and a request from a guy at
securityfocus.com for info from people with compromised hosts.

--Stafford

----- Forwarded message from Dave Ahmad <da at securityfocus.com> -----

Date: Fri, 13 Sep 2002 11:28:51 -0600 (MDT)
From: Dave Ahmad <da at securityfocus.com>
To: Ben Laurie <ben at algroup.co.uk>
Subject: Re: OpenSSL worm in the wild
Message-ID: <Pine.LNX.4.43.0209131118440.7298-100000 at mail.securityfocus.com>

Ok,

The incident analysis team over here is examining this thing.  At first
glance it looks reasonably sophisticated.  Looks to me like it exploits
the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
It seems to pick targets based on the "Server:" HTTP response field.
Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
setting it to ProductOnly to turn away at least this version of the exploit
until fixes can be applied.  Another thing to note is that it communicates
with its friends over UDP / port 2002.

I'd like to request IP addresses of hosts that have been compromised or
that are currently attacking systems from anyone who is comfortable
sharing this information.  We wish to run it through TMS (formerly
known as ARIS) to see how quickly it is propagating.

David Ahmad
Symantec
http://www.symantec.com/

On Fri, 13 Sep 2002, Ben Laurie wrote:

> I have now seen a worm for the OpenSSL problems I reported a few weeks
> back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should
> be _seriously worried_.
>
> It appears to be exclusively targeted at Linux systems, but I wouldn't
> count on variants for other systems not existing.
>
> Cheers,
>
> Ben.
>
> --
> http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
>
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
>
>

----- End forwarded message -----




More information about the PLUG mailing list