Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit...

From: Chuck Swiger <cswiger () mac com>
Date: Mon, 10 Feb 2003 19:45:53 -0500
Here are the relevant pieces of the Apache logfiles:

access_log:
65.211.112.6 - - [04/Feb/2003:16:17:30 -0500] "GET /mod_ssl:error:HTTP-request HTTP/1.0" 400 475 217.96.247.140 - - [05/Feb/2003:20:40:47 -0500] "GET /sumthin HTTP/1.0" 404 201 65.211.112.6 - - [06/Feb/2003:09:51:08 -0500] "GET /mod_ssl:error:HTTP-request HTTP/1.0" 400 475 24.52.162.226 - - [07/Feb/2003:01:46:31 -0500] "GET /sumthin HTTP/1.0" 404 201 196.41.30.38 - - [07/Feb/2003:12:37:45 -0500] "GET /sumthin HTTP/1.0" 404 201 

ssl_request_log:
[04/Feb/2003:16:17:30 -0500] 65.211.112.6 - - "GET /mod_ssl:error:HTTP-request HTTP/1.0" 475 [06/Feb/2003:09:51:08 -0500] 65.211.112.6 - - "GET /mod_ssl:error:HTTP-request HTTP/1.0" 475 

error_log:
[Tue Feb 4 05:01:54 2003] [error] [client 217.235.56.30] File does not exist: /opt/apache/htdocs/sumthin [Tue Feb 4 16:17:30 2003] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) [Tue Feb 4 16:17:30 2003] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] [Wed Feb 5 02:37:29 2003] [error] [client 61.102.208.208] File does not exist:/opt/apache/htdocs/sumthin [Thu Feb 6 09:51:08 2003] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) [Thu Feb 6 09:51:08 2003] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] [Fri Feb 7 01:46:31 2003] [error] [client 24.52.162.226] File does not exist: /opt/apache/htdocs/sumthin [Fri Feb 7 11:12:30 2003] [error] [client 62.110.124.190] Client sent malformed Host header [Fri Feb 7 12:37:45 2003] [error] [client 196.41.30.38] File does not exist: /opt/apache/htdocs/sumthin 

ssl_engine_log:
[04/Feb/2003 05:01:52 14857] [info] Connection to child 8 established (server xxxxx.com:443, client 217.235.56.30) 
[04/Feb/2003 05:01:52 14857] [info]  Seeding PRNG with 1672 bytes of entropy
[04/Feb/2003 05:01:52 14857] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [05/Feb/2003 20:41:09 00431] [info] Connection to child 0 established (server xxxxx.com:443, client 217.96.247.140) 
[05/Feb/2003 20:41:09 00431] [info]  Seeding PRNG with 1672 bytes of entropy
[05/Feb/2003 20:41:09 00431] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [06/Feb/2003 09:51:08 00435] [info] Connection to child 4 established (server xxxxx.com:443, client 65.211.112.6) 
[06/Feb/2003 09:51:08 00435] [info]  Seeding PRNG with 1672 bytes of entropy
[06/Feb/2003 09:51:08 00435] [error] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) [06/Feb/2003 09:51:08 00435] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] [07/Feb/2003 01:46:31 00431] [info] Connection to child 0 established (server xxxxx.com:443, client 24.52.162.226) 
[07/Feb/2003 01:46:31 00431] [info]  Seeding PRNG with 1672 bytes of entropy
[07/Feb/2003 01:46:31 00431] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [07/Feb/2003 12:37:45 00435] [info] Connection to child 4 established (server xxxxx.com:443, client 196.41.210.22) 
[07/Feb/2003 12:37:45 00435] [info]  Seeding PRNG with 1672 bytes of entropy
[07/Feb/2003 12:37:45 00435] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [09/Feb/2003 08:32:03 00913] [info] Connection to child 5 established (server xxxxx.com:443, client 210.70.26.71) 
[09/Feb/2003 08:32:04 00913] [info]  Seeding PRNG with 1672 bytes of entropy
[09/Feb/2003 08:32:04 00913] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
Three of the apache child processes became wedged, which alerted a monitoring system on Friday (2003/2/7). It looks like the intruder may have gained access as the user apache runs as, and attempted to create or look for a file (not successfully). No other signs of problems; server rebuilt 2003/2/9 against apache-1.3.27 + openssl-0.9.7. 

-Chuck
PS: The machine has detailed monitoring in place, but even so, this incident didn't cause a lot of noise. Certainly not when compared to the logging info generated from ~8000 attempted IIS probes per month.... 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: