[lug] openssl vulnerability

D. Stimits stimits at attbi.com
Sat Sep 21 10:06:04 MDT 2002

Just thought I'd pass something along that I've seen some notice of 
lately. There is a vulnerability in non-upgraded openssl package, which 
is not really news. However, there were a couple of interesting points I 
found that might be useful. One is that "ELF_SLAPPER.A" seems to have as 
its purpose distributed DoS. Second, file ".bugtraq.c" will be found in 
/tmp/ if the worm is on the system. Third, it only has the privileges of 
the Apache user. Fourth, and the part which might be most interesting, 
is that the worm first uses an invalid GET request on port 80 to 
determine if this is an Apache machine; then it hits port 443 to do what 
it does. If you see logs of someone hitting port 80 with an erroneous 
GET request, then port 443 immediately after, probably you are being 
tested for attack. Also, I recall seeing somewhere a claim that 
disabling SSL2 would solve this, but it seems that SSL3 has a slightly 
different means of attacking (all of course on outdated openssl).

D. Stimits, stimits AT attbi.com

More information about the LUG mailing list