httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Fwd: Re: OpenSSL worm in the wild
Date Fri, 13 Sep 2002 19:02:05 GMT
Because this is of general interest to anyone running mod_ssl with
older versions of OpenSSL (pre-0.9.6e) I'm forwarding the current status
of research here.  Please refer your feedback to Dave Ahmad, Ben Laurie
or the Bugtraq mailing list, as appropriate.


>Delivered-To: mailing list
>Date: Fri, 13 Sep 2002 11:28:51 -0600 (MDT)
>From: Dave Ahmad <>
>Subject: Re: OpenSSL worm in the wild
>The incident analysis team over here is examining this thing.  At first
>glance it looks reasonably sophisticated.  Looks to me like it exploits
>the issue described as BID 5363,
>It seems to pick targets based on the "Server:" HTTP response field.
>Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
>setting it to ProductOnly to turn away at least this version of the exploit
>until fixes can be applied.  Another thing to note is that it communicates
>with its friends over UDP / port 2002.
>I'd like to request IP addresses of hosts that have been compromised or
>that are currently attacking systems from anyone who is comfortable
>sharing this information.  We wish to run it through TMS (formerly
>known as ARIS) to see how quickly it is propagating.
>David Ahmad
>On Fri, 13 Sep 2002, Ben Laurie wrote:
> > I have now seen a worm for the OpenSSL problems I reported a few weeks
> > back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should
> > be _seriously worried_.
> >
> > It appears to be exclusively targeted at Linux systems, but I wouldn't
> > count on variants for other systems not existing.
> >
> > Cheers,
> >
> > Ben.
> >
> > --
> >
> >
> > "There is no limit to what a man can do or how far he can go if he
> > doesn't mind who gets the credit." - Robert Woodruff

At 11:09 AM 9/13/2002, Sandu Mihai wrote:
>Begining with 12.09.2002 we have noticed a variant of the Apache Worm
> which now exploits mod_ssl bug.
>The worm can be identified by doing a ps -ax | grep bugtraq (it has the name
>.bugtraq :) ).
>It is an 'agent' worm (as his parent, mr. Apache Worm), and can be
>controlled / instructed to do a UDP Flood, TCP Flood, DNS Flood, other
>goodies including command execution on infected system. The source is found
>in /tmp/.bugtraq.c ... and the comments are in english now :)
>All my best,
>Sandu Mihai - KPNQWest Romania Network Engineer

View raw message