[TCLUG] New Internet 'worm' on the loose

Tue Sep 17 22:55:03 CDT 2002

On Tue, Sep 17, 2002 at 01:30:01PM -0500, David Dyer-Bennet wrote:
>Jay Austad <austad at signal15.com> writes:
>
>> I don't think you'll see anything in the logs, as the exploit is
>> actually in the SSL negotiation phase, before the time that anything
>> would make an http request.  Since apache doesn't log just connection
>> attempts, you won't see it.  If you turned on some debugging
>> somewhere, you might see traces of it. It's possible that something
>> like snort would not be able to see it either, because the exploit may
>> take place after a secure session is set up.  I'm not sure at what
>> point of the ssl negotiation that the exploit actually takes place.
>
>As I read the advisory, there's an initial probe where what it's
>really looking for is configuration info, which logs a specific
>request.

You will see stuff in your logs. Or at least I did :(.  I had a box
running an older version of openssl and apache-ssl (I know I know I
know....I have already spanked myself...and upgraded).  I started
noticing a serious lag on Friday 13 night. My ISP was having some ATM
link issues so I just attributed it to that. Well...

The "program" is a very noisey one.  It typically uses port 2002udp to
do its dirty work.  netstat -l did not show traffic on that port, but
when I fired up ettercap, the real story was evident.  I saw tons of
IP's that the program was trying connect to on port 2002.  Even if you
clean up your box, you are still in the "infected" database.  So , the
other p2p clients will try to  connect to you.   The author can execute
code on any of the clients on the p2p network, however, I have not seen
nor heard of this byproduct being a common practice at this point.
http://www.f-secure.com/slapper has some stats and whatnot of the worm
(worth a read).

I have a tarball including the source/binary/and various logs of the
event.  You are welcome to see what I found if you think it will help
you further your prevention/understanding of the worm.

http://Spencer.Underground.Tclug.org/hacked.tar

Simple prevention:
1) Don't run apache-ssl if you don't n
2) keep your openssl (and all your security pkg's) up to date [varies
from distro to distro but anyting before 0.9.6.e is vulnerable (0.9.6g
is current)]
3) block ports 2000-2002udp <---not completely necessary if you do 1 & 2
4) subscribe to the cert mailing list and your distro-security list

I hope this info will help someone somewhere sometime.
-- 
                	--*--SpencerUnderground--*--
http://autonomous.tv/			       spencer at autonomous.tv
Key fingerprint = 173B 8760 E59F DBF8 6FD2  68F8 ABA2 AB08 49C7 4754

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020917/2bb45352/attachment.pgp