Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit...

[Richard Rager <kb8rln () PENGUINMASTER COM>]

On Mon, 10 Feb 2003, Chuck Swiger wrote:


I have the same thing.  On my server here are the logs


200.14.205.202 - - [13/Jan/2003:17:41:25 -0700] "GET /sumthin HTTP/1.0"
404 273
200.14.205.202 - - [13/Jan/2003:19:43:39 -0700] "GET /sumthin HTTP/1.0"
404 273
168.172.1.253 - - [14/Jan/2003:07:29:48 -0700] "GET /sumthin HTTP/1.0" 404
273
168.172.1.253 - - [14/Jan/2003:10:22:26 -0700] "GET /sumthin HTTP/1.0" 404
273
66.92.237.109 - - [15/Jan/2003:09:01:57 -0700] "GET /sumthin HTTP/1.0" 404
273
66.92.237.109 - - [15/Jan/2003:10:55:01 -0700] "GET /sumthin HTTP/1.0" 404
273
63.137.232.127 - - [16/Jan/2003:09:27:40 -0700] "GET /sumthin HTTP/1.0"
404 273
63.137.232.127 - - [16/Jan/2003:11:23:18 -0700] "GET /sumthin HTTP/1.0"
404 273
206.191.114.180 - - [19/Jan/2003:01:56:37 -0700] "GET /sumthin HTTP/1.0"
404 273206.191.114.180 - - [19/Jan/2003:02:39:36 -0700] "GET /sumthin
HTTP/1.0" 404 273210.60.249.3 - - [23/Jan/2003:00:41:40 -0700] "GET
/sumthin HTTP/1.0" 404 273
210.60.249.3 - - [23/Jan/2003:01:18:14 -0700] "GET /sumthin HTTP/1.0" 404
273
80.55.4.238 - - [25/Jan/2003:22:55:53 -0700] "GET /sumthin HTTP/1.0" 404
273
80.55.4.238 - - [26/Jan/2003:00:49:29 -0700] "GET /sumthin HTTP/1.0" 404
273
204.232.9.3 - - [28/Jan/2003:00:24:33 -0700] "GET /sumthin HTTP/1.0" 404
273
204.232.9.3 - - [28/Jan/2003:03:11:21 -0700] "GET /sumthin HTTP/1.0" 404
273
151.8.41.20 - - [28/Jan/2003:03:26:01 -0700] "GET /sumthin HTTP/1.0" 404
273
151.8.41.20 - - [28/Jan/2003:04:02:22 -0700] "GET /sumthin HTTP/1.0" 404
273
203.43.146.4 - - [29/Jan/2003:17:24:28 -0700] "GET /sumthin HTTP/1.0" 404
273
203.43.146.4 - - [29/Jan/2003:19:14:59 -0700] "GET /sumthin HTTP/1.0" 404
273
218.108.39.88 - - [04/Feb/2003:20:53:00 -0700] "GET /sumthin HTTP/1.0"

Here are some other abnormals. Does anyone know what they are trying to
do?

24.95.60.115 - - [06/Feb/2003:21:35:37 -0700] "GET /.private.d/log.html
HTTP/1.0" 404 285
24.95.60.115 - - [06/Feb/2003:21:43:00 -0700] "GET /.private.d/log.html
HTTP/1.0" 404 285
24.95.60.115 - - [06/Feb/2003:21:52:03 -0700] "GET /.private.d/log.html
HTTP/1.0" 404 285
24.95.60.115 - - [06/Feb/2003:21:52:06 -0700] "GET /.private.d/log.html
HTTP/1.0" 404 285
24.95.60.115 - - [07/Feb/2003:06:34:31 -0700] "GET /.private.d/log.html
HTTP/1.0" 404 285
24.95.60.115 - - [07/Feb/2003:07:28:36 -0700] "GET /logs.d/index.html
HTTP/1.0"
404 283
24.95.60.115 - - [07/Feb/2003:13:47:59 -0700] "GET /.private.d/log.html
HTTP/1.0" 404 285


SSL

[14/Oct/2002 14:12:09 00734] [error] Init: Private key not found (OpenSSL
library error follows)
[14/Oct/2002 14:12:09 00734] [error] OpenSSL: error:0D084069:asn1 encoding
routines:d2i_ASN1_SET:bad tag
[14/Oct/2002 14:12:09 00734] [error] OpenSSL: error:0D09D082:asn1 encoding
routines:d2i_RSAPrivateKey:parsing
[14/Oct/2002 14:12:09 00734] [error] OpenSSL: error:0D09B00D:asn1 encoding
routines:d2i_PrivateKey:ASN1 lib
[14/Oct/2002 14:12:16 00767] [error] Init: Private key not found (OpenSSL
library error follows)
[14/Oct/2002 14:12:16 00767] [error] OpenSSL: error:0D084069:asn1 encoding
routines:d2i_ASN1_SET:bad tag
[14/Oct/2002 14:12:16 00767] [error] OpenSSL: error:0D09D082:asn1 encoding
routines:d2i_RSAPrivateKey:parsing
[14/Oct/2002 14:12:16 00767] [error] OpenSSL: error:0D09B00D:asn1 encoding
routines:d2i_PrivateKey:ASN1 lib
[14/Oct/2002 15:26:21 01058] [error] SSL handshake failed (server
prismwireless.net:443, client 61.63.154.42) (OpenSSL library error
follows)
[14/Oct/2002 15:26:21 01058] [error] OpenSSL:
error:1406B458:lib(20):func(107):reason(1112)



[27/Oct/2002:12:21:09 -0700] 216.98.66.5 - - "GET
/mod_ssl:error:HTTP-request HTTP/1.0" 53


Enjoy,

Richard Rager



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com