New worm?

[Norbert Bollow <nb () cisto com>]

Summary:  Apache webserver logfiles show malicious activity seeking
to exploit OpenSSL vulnerability.  In one case the break-in was
successful, in a]one case it wasn't.  I think this is a probably a
worm, which may be similar to the Slapper worm.  (But it's not any
of the well-known variants of the Slapper worm.)

Here the gory details:

On one machine (GNU/linux (heavily modified Redhat Linux) on AMD-K6 3D
processor, Apache/1.3.17 (Unix) with mod_perl/1.25, mod_ssl/2.8.0,
OpenSSL/0.9.6 which compiled myself some time back) I see this in the
error logfile:

--snip------------------------------------------------------------
[Sun Sep 22 12:03:46 2002] [error] mod_ssl: SSL handshake failed (server www.surrogacy.com:443, client 66.216.96.82) 
(OpenSSL library error follows)
[Sun Sep 22 12:03:46 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different
[Sun Sep 22 21:57:11 2002] [error] mod_ssl: SSL handshake failed (server www.surrogacy.com:443, client 66.216.96.112) 
(OpenSSL library error follows)
[Sun Sep 22 21:57:11 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different
[Mon Sep 23 04:02:21 2002] [notice] Apache/1.3.17 (Unix) mod_perl/1.25 mod_ssl/2.8.0 OpenSSL/0.9.6 configured -- 
resuming normal operations
[Mon Sep 23 04:31:40 2002] [error] mod_ssl: SSL handshake failed (server www.surrogacy.com:443, client 209.145.157.119) 
(OpenSSL library error follows)
[Mon Sep 23 04:31:40 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different
[Mon Sep 23 14:00:33 2002] [error] mod_ssl: SSL handshake failed (server www.surrogacy.com:443, client 216.229.183.80) 
(OpenSSL library error follows)
[Mon Sep 23 14:00:33 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different
[Tue Sep 24 04:02:28 2002] [notice] Apache/1.3.17 (Unix) mod_perl/1.25 mod_ssl/2.8.0 OpenSSL/0.9.6 configured -- 
resuming normal operations
[Tue Sep 24 04:23:33 2002] [error] mod_ssl: SSL handshake failed (server www.surrogacy.com:443, client 217.35.32.244) 
(OpenSSL library error follows)
[Tue Sep 24 04:23:33 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different
--snap------------------------------------------------------------

(an excerpt, extracted with grep, but otherwise unmangled.)

I don't see any suspicious-looking processes, network activity, or
files in /tmp.

(yes, I'm typing this while compiling the newest version of OpenSSL
with the bugfixes.)

On a different machine (GNU/Linux (RedHat Linux 7.2 with minor
modifications) on Intel Pentium 4, Apache/1.3.20 with
mod_python/2.7.6, Python/1.5.2, mod_ssl/2.8.4, OpenSSL/0.9.6b,
mod_perl/1.24_01) I see

--snip------------------------------------------------------------
[Mon Sep 23 02:46:50 2002] [error] mod_ssl: SSL handshake failed (server rimmon.cisto.com:443, client 199.203.55.64) 
(OpenSSL library error follows)
[Mon Sep 23 02:46:50 2002] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different
--snap------------------------------------------------------------

Also there was a very obvious highly suspicious process:

$ ps auxww|grep 11345
apache   11345  0.0  0.0  1476    4 ?        S    Sep23   0:00 ./Zatron

according to strace it was just waiting for input on file descriptor 6.

I did not find any files in /tmp, nor any file with name "Zatron"
anywhere in the filesystem.  fuser reports nothing concerning the
udp ports that are known for Slapper worm activity.

Greetings, Norbert.

-- 
Founder & Steering Committee member of http://gnu.org/projects/dotgnu/
Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland)
Tel +41 1 972 20 59        Fax +41 1 972 20 69       http://norbert.ch
List hosting with GNU Mailman on your own domain name http://cisto.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com