Security Incidents mailing list archives
Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit...
From: Chuck Swiger <cswiger () mac com>
Date: Tue, 11 Feb 2003 22:00:01 -0500
root@darks wrote:
i got them too. i belive they are some sort of httpd version scanner. most probably trying to look for either IIS unicode attacks or apache ssl hole.
[ ... ]The latter, agreed. My point was not so much that someone was scanning, or even that a sufficiently old version of apache+openssl is hackable, although both seem to be valid points worth knowing. :-) What seemed to be of more concern to me is that this exploit did not require lot of failed connection attempts (ie, to deduce a cryptographic weakness) before the attack succeeded.
If I didn't have a definite time stamp for the problem-- I have virtual_adrian going and a network-based monitoring tool checking every five minutes-- it would have been hard to track down (or even notice) the relevant pieces out of a half-million lines of Apache logfiles.
Anyway, take care, -Chuck ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit... Chuck Swiger (Feb 10)
- Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit... Richard Rager (Feb 11)
- Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit... root@darks (Feb 12)
- Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit... Chuck Swiger (Feb 12)