Bugtraq mailing list archives
Re: OpenSSL worm in the wild
From: Eric Rescorla <ekr () rtfm com>
Date: 13 Sep 2002 13:37:08 -0700
Dave Ahmad <da () securityfocus com> writes:
The incident analysis team over here is examining this thing. At first glance it looks reasonably sophisticated. Looks to me like it exploits the issue described as BID 5363, http://online.securityfocus.com/bid/5363. It seems to pick targets based on the "Server:" HTTP response field. Mario Van Velzen proposed a quick workaround of disabling ServerTokens or setting it to ProductOnly to turn away at least this version of the exploit until fixes can be applied.
Since this workaround requires changing the configuration file, it's equally easy to disable SSLv2 entirely--especially since one could easily modify the worm to attack all servers or, perhaps, those which only display Product ID :) -Ekr -- [Eric Rescorla ekr () rtfm com] http://www.rtfm.com/
Current thread:
- Re: OpenSSL worm in the wild Eric Rescorla (Sep 13)
- Re: OpenSSL worm in the wild Eric Rescorla (Sep 16)