[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSL worm in the wild


The incident analysis team over here is examining this thing.  At first
glance it looks reasonably sophisticated.  Looks to me like it exploits
the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
It seems to pick targets based on the "Server:" HTTP response field.
Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
setting it to ProductOnly to turn away at least this version of the exploit
until fixes can be applied.  Another thing to note is that it communicates
with its friends over UDP / port 2002.

I'd like to request IP addresses of hosts that have been compromised or
that are currently attacking systems from anyone who is comfortable
sharing this information.  We wish to run it through TMS (formerly
known as ARIS) to see how quickly it is propagating.

David Ahmad

On Fri, 13 Sep 2002, Ben Laurie wrote:

> I have now seen a worm for the OpenSSL problems I reported a few weeks
> back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should
> be _seriously worried_.
> It appears to be exclusively targeted at Linux systems, but I wouldn't
> count on variants for other systems not existing.
> Cheers,
> Ben.
> --
> http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff