[PLUG] [da@securityfocus.com: Re: OpenSSL worm in the wild] (fwd)
Matt Alexander
plug-discuss@lists.plug.phoenix.az.us
Fri, 13 Sep 2002 14:17:02 -0700 (PDT)
---------- Forwarded message ----------
Date: Fri, 13 Sep 2002 12:45:38 -0700
From: Stafford A. Rau <srau@rauhaus.org>
Reply-To: plug@lists.pdxlinux.org
To: plug@lists.pdxlinux.org
Subject: [PLUG] [da@securityfocus.com: Re: OpenSSL worm in the wild]
Here's more on the ssl worm, and a request from a guy at
securityfocus.com for info from people with compromised hosts.
--Stafford
----- Forwarded message from Dave Ahmad <da@securityfocus.com> -----
Date: Fri, 13 Sep 2002 11:28:51 -0600 (MDT)
From: Dave Ahmad <da@securityfocus.com>
To: Ben Laurie <ben@algroup.co.uk>
Subject: Re: OpenSSL worm in the wild
Message-ID: <Pine.LNX.4.43.0209131118440.7298-100000@mail.securityfocus.com>
Ok,
The incident analysis team over here is examining this thing. At first
glance it looks reasonably sophisticated. Looks to me like it exploits
the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
It seems to pick targets based on the "Server:" HTTP response field.
Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
setting it to ProductOnly to turn away at least this version of the exploit
until fixes can be applied. Another thing to note is that it communicates
with its friends over UDP / port 2002.
I'd like to request IP addresses of hosts that have been compromised or
that are currently attacking systems from anyone who is comfortable
sharing this information. We wish to run it through TMS (formerly
known as ARIS) to see how quickly it is propagating.
David Ahmad
Symantec
http://www.symantec.com/
On Fri, 13 Sep 2002, Ben Laurie wrote:
> I have now seen a worm for the OpenSSL problems I reported a few weeks
> back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should
> be _seriously worried_.
>
> It appears to be exclusively targeted at Linux systems, but I wouldn't
> count on variants for other systems not existing.
>
> Cheers,
>
> Ben.
>
> --
> http://www.apache-ssl.org/ben.html http://www.thebunker.net/
>
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
>
>
----- End forwarded message -----
_______________________________________________
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug