Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit...

["root@darks" <root () darks mine nu>]

i got them too. i belive they are some sort of httpd version scanner. most
probably trying to look for either IIS unicode attacks or apache ssl hole.


----- Original Message -----
From: "Chuck Swiger" <cswiger () mac com>
To: <incidents () securityfocus com>
Sent: Tuesday, February 11, 2003 1:45 AM
Subject: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit...


> Here are the relevant pieces of the Apache logfiles:
>
> access_log:
> 65.211.112.6 - -   [04/Feb/2003:16:17:30 -0500] "GET
> /mod_ssl:error:HTTP-request HTTP/1.0" 400 475
> 217.96.247.140 - - [05/Feb/2003:20:40:47 -0500] "GET /sumthin HTTP/1.0"
> 404 201
> 65.211.112.6 - -   [06/Feb/2003:09:51:08 -0500] "GET
> /mod_ssl:error:HTTP-request HTTP/1.0" 400 475
> 24.52.162.226 - -  [07/Feb/2003:01:46:31 -0500] "GET /sumthin HTTP/1.0"
> 404 201
> 196.41.30.38 - -   [07/Feb/2003:12:37:45 -0500] "GET /sumthin HTTP/1.0"
> 404 201
>
> ssl_request_log:
> [04/Feb/2003:16:17:30 -0500] 65.211.112.6 - - "GET
> /mod_ssl:error:HTTP-request HTTP/1.0" 475
> [06/Feb/2003:09:51:08 -0500] 65.211.112.6 - - "GET
> /mod_ssl:error:HTTP-request HTTP/1.0" 475
>
> error_log:
> [Tue Feb  4 05:01:54 2003] [error] [client 217.235.56.30] File does not
> exist: /opt/apache/htdocs/sumthin
> [Tue Feb  4 16:17:30 2003] [error] mod_ssl: SSL handshake failed: HTTP
> spoken on HTTPS port; trying to send HTML error page (OpenSSL library
> error follows)
> [Tue Feb  4 16:17:30 2003] [error] OpenSSL: error:1407609C:SSL
> routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to
> HTTPS port!?]
> [Wed Feb  5 02:37:29 2003] [error] [client 61.102.208.208] File does not
> exist:/opt/apache/htdocs/sumthin
> [Thu Feb  6 09:51:08 2003] [error] mod_ssl: SSL handshake failed: HTTP
> spoken on HTTPS port; trying to send HTML error page (OpenSSL library
> error follows)
> [Thu Feb  6 09:51:08 2003] [error] OpenSSL: error:1407609C:SSL
> routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to
> HTTPS port!?]
> [Fri Feb  7 01:46:31 2003] [error] [client 24.52.162.226] File does not
> exist: /opt/apache/htdocs/sumthin
> [Fri Feb  7 11:12:30 2003] [error] [client 62.110.124.190] Client sent
> malformed Host header
> [Fri Feb  7 12:37:45 2003] [error] [client 196.41.30.38] File does not
> exist: /opt/apache/htdocs/sumthin
>
> ssl_engine_log:
> [04/Feb/2003 05:01:52 14857] [info]  Connection to child 8 established
> (server xxxxx.com:443, client 217.235.56.30)
> [04/Feb/2003 05:01:52 14857] [info]  Seeding PRNG with 1672 bytes of
entropy
> [04/Feb/2003 05:01:52 14857] [info]  Spurious SSL handshake
> interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [05/Feb/2003 20:41:09 00431] [info]  Connection to child 0 established
> (server xxxxx.com:443, client 217.96.247.140)
> [05/Feb/2003 20:41:09 00431] [info]  Seeding PRNG with 1672 bytes of
entropy
> [05/Feb/2003 20:41:09 00431] [info]  Spurious SSL handshake
> interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [06/Feb/2003 09:51:08 00435] [info]  Connection to child 4 established
> (server xxxxx.com:443, client 65.211.112.6)
> [06/Feb/2003 09:51:08 00435] [info]  Seeding PRNG with 1672 bytes of
entropy
> [06/Feb/2003 09:51:08 00435] [error] SSL handshake failed: HTTP spoken
> on HTTPS port; trying to send HTML error page (OpenSSL library error
> follows)
> [06/Feb/2003 09:51:08 00435] [error] OpenSSL: error:1407609C:SSL
> routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to
> HTTPS port!?]
> [07/Feb/2003 01:46:31 00431] [info]  Connection to child 0 established
> (server xxxxx.com:443, client 24.52.162.226)
> [07/Feb/2003 01:46:31 00431] [info]  Seeding PRNG with 1672 bytes of
entropy
> [07/Feb/2003 01:46:31 00431] [info]  Spurious SSL handshake
> interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [07/Feb/2003 12:37:45 00435] [info]  Connection to child 4 established
> (server xxxxx.com:443, client 196.41.210.22)
> [07/Feb/2003 12:37:45 00435] [info]  Seeding PRNG with 1672 bytes of
entropy
> [07/Feb/2003 12:37:45 00435] [info]  Spurious SSL handshake
> interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [09/Feb/2003 08:32:03 00913] [info]  Connection to child 5 established
> (server xxxxx.com:443, client 210.70.26.71)
> [09/Feb/2003 08:32:04 00913] [info]  Seeding PRNG with 1672 bytes of
entropy
> [09/Feb/2003 08:32:04 00913] [info]  Spurious SSL handshake
> interrupt[Hint: Usually just one of those OpenSSL confusions!?]
>
> Three of the apache child processes became wedged, which alerted a
> monitoring system on Friday (2003/2/7).  It looks like the intruder may
> have gained access as the user apache runs as, and attempted to create
> or look for a file (not successfully).  No other signs of problems;
> server rebuilt 2003/2/9 against apache-1.3.27 + openssl-0.9.7.
>
> -Chuck
>
> PS: The machine has detailed monitoring in place, but even so, this
> incident didn't cause a lot of noise.  Certainly not when compared to
> the logging info generated from ~8000 attempted IIS probes per month....
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com