Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit...

[Chuck Swiger <cswiger () mac com>]

root@darks wrote:
> i got them too. i belive they are some sort of httpd version scanner. most
> probably trying to look for either IIS unicode attacks or apache ssl hole.
[ ... ]

The latter, agreed.  My point was not so much that someone was scanning, 
or even that a sufficiently old version of apache+openssl is hackable, 
although both seem to be valid points worth knowing.  :-)  What seemed 
to be of more concern to me is that this exploit did not require lot of 
failed connection attempts (ie, to deduce a cryptographic weakness) 
before the attack succeeded.

If I didn't have a definite time stamp for the problem-- I have 
virtual_adrian going and a network-based monitoring tool checking every 
five minutes-- it would have been hard to track down (or even notice) 
the relevant pieces out of a half-million lines of Apache logfiles.

Anyway, take care,
-Chuck


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com