Re: /sumthin Revisited

[noconflic <nocon () texas-shooters com>]

[mike () procinct com] Tue, Jan 07, 2003 at 03:01:10PM -0800 wrote:
> At 1/7/2003 02:12 PM, Sverre H. Huseby wrote:
>
> > I'm adding some info to my previous reply:
> >
> > I queried the Server header of the 30 different IPs (only two have
> > visited me twice) that have sumthin'ed me since 2002-10-12.  21 of
> > them replied as follows, the rest didn't respond:
>
> Based on the information supplied in the headers below, it looks to me like 
> it's likely a variation of the slapper worm that has infected a number of 
> Apache systems that 1) use an older version of OpenSSL and 2) announce it 
> in the HTTP server header.  If you have a vulnerable Apache server running 
> OpenSSL with port 443 accessible, you'd likely see a subsequent connection 
> to the SSL server (and you may already be infected).
>
> This modified worm likely uses the GET /sumthin request to see the server 
> header response from the web server and then attacks those web servers that 
> appear vulnerable.
>
> > Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2 
> > OpenSSL/0.9.6 PHP/4.0.4pl1
> > Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 
> > OpenSSL/0.9.6b PHP/4.0.6
> > Apache-AdvancedExtranetServer/1.3.22 (Mandrake Linux/10.2mdk) 
> > mod_ssl/2.8.5 OpenSSL/0.9.6b PHP/4.0.6
> > Apache-AdvancedExtranetServer/1.3.23 (Mandrake Linux/4mdk) tomcat/1.0 
> > mod_ssl/2.8.7 OpenSSL/0.9.6c PHP/4.1.2 mod_jk/1.1.0
> > Apache/1.3.12 (Unix)  (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a 
> > DAV/1.0.1 PHP/4.0.1pl2 mod_perl/1.24
> > Apache/1.3.12 (Unix)  (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a 
> > PHP/4.0.1pl2 mod_perl/1.24
> > Apache/1.3.14 (Unix)  (Red-Hat/Linux) mod_ssl/2.7.1 OpenSSL/0.9.5a 
> > PHP/4.0.4pl1 mod_perl/1.24
> > Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 
> > DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
> > Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 
> > DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
> > Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 
> > DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
> > Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 
> > DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
> > Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b 
> > DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01
> > Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b 
> > DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01
> > Apache/1.3.22 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b 
> > DAV/1.0.2 PHP/4.1.2 mod_perl/1.24_01
> > Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 
> > mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 
> > mod_throttle/3.1.2
> > Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 
> > mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 
> > mod_throttle/3.1.2
> > Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b 
> > DAV/1.0.3 PHP/4.1.2 mod_perl/1.26
> > Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b 
> > DAV/1.0.3 PHP/4.1.2 mod_perl/1.26

   I would have to agree, breifly looking through my logs, IP's attempting
connetions to 443 (ssl not running on my host) most are running vulnerable 
versions of apache/ssl.

[...]

Trying 217.230.102.xxx...
Connected to 217.230.102.xxx.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 08 Jan 2003 06:52:30 GMT
Server: Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01

[...]

- nocon 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com