copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AL-2002.11 -- Apache/mod_ssl Worm

Date: 14 September 2002
References: ESB-2002.506  ESB-2002.508  

Click here for printable version

CORRECTION - Some web links in e-mail that were meant to be for the AusCERT Training course "Windows Intrusion Prevention Workshop" were accidentally mis-typed and directed here.
The correct URL is http://www.auscert.org.au/2408 We apologise for any inconvenience this may have caused.

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2002.11 -- AUSCERT ALERT
                            Apache/mod_ssl Worm
                             14 September 2002

===========================================================================

PROBLEM:  

	A worm in the wild is currently exploiting Apache web servers using
	the OpenSSL vulnerability described in AusCERT Advisory AA-2002.06.
	The worm, referred to as the the Apache/mod_ssl worm or the
	Linux.Slapper.Worm, is currently exploiting Linux hosts on Intel
	i386 architecture, however the worm has the potential to affect any
	platform utilising the vulnerable version of OpenSSL.

	This worm is different from the Apache Worm as described in AusCERT
	Alert AL-2002.06

	No attacks against Australian web servers have been reported to
	AusCERT at this time, however exploits are being reported overseas
	and Australian IP addresses are listed as targets in the source
	code, so it is possible that Australian hosts may be already
	compromised.

	AusCERT recommends that members follow the steps under "MITIGATION"
	below as soon as possible.

PLATFORM: 
	
	While Linux hosts running Apache are currently being targeted by
	the worm, any host running OpenSSL 0.9.6d or earlier (including
	pre-release 0.9.7-beta2	or earlier) is vulnerable to the buffer
	overflows in OpenSSL.

IMPACT:   

	A partial list of impacts from this worm are:

	o Execute arbitrary code on the host

	o Execute denial of service attacks using TCP or UDP

	o Execute denial of service attacks using DNS

DETAILS:

	At this time, it appears that the Apache/mod_ssl worm exploits the
	buffer overflow in SSLv2 handshakes discovered in OpenSSL 0.9.6d
	and earlier.

	The worm currently verifies the version of Apache before
	attempting the exploit.  Upon gaining access to the host, it
	creates the file "/tmp/.bugtraq.c" and attempts to compile it
	with gcc.  Once compiled and executed, this program acts as a
	denial of service tool and uses port 2002/udp to send and
	receive instructions for further attacks.

	The existence of the file "/tmp/.bugtraq.c" or the following
	Apache error log entries may indicate a successful compromise:


	[error] [client xx.xx.xx.xx client sent HTTP/2.1 request without
		hostname (see RFC2616 section 14.23): /
	[error] mod_ssl: SSL handshake failed (server xx.xx.xx.xx:443,
		client xx.xx.xx.xx) (OpenSSL library error follows)
	[error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:
		connection id is different
	[error] mod_ssl: SSL handshake timed out (client xx.xx.xx.xx,
		server xx.xx.xx.xx:443)

MITIGATION: 

	o Upgrade to the latest stable version of OpenSSL, which is
	  0.9.6g as of this writing.

	o If you are unable to upgrade OpenSSL, you may wish to consider
	  disabling SSLv2 or all SSL functionality in Apache.  Before
	  disabling SSL services, carefully consider the impact this may
	  have on your service requirements.  Note that some older web
	  browsers may require SSLv2.

	  Disabling SSLv2 can be done by adding or modifying the following
	  lines in the Apache configuration file (commonly httpd.conf):

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP:+eNULL
SSLProtocol all -SSLv2

	  Note the only change required for SSLCipherSuite is -SSLv2

	o Modify the Apache configuration to limit the amount of server
	  information displayed.  Using the following line will restrict
	  Apache from displaying the version number:

		ServerTokens ProductOnly

	o Monitor your network for traffic on port 2002/udp, which may
	  indicate a compromised host.

REFERENCES:

	Symantec Security Response
	http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html

	mod_ssl Documentation - HowTo
	http://www.modssl.org/docs/2.8/ssl_howto.html

	AusCERT Advisory AA-2002.06 - OpenSSL Vulnerabilities
	http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.06.txt

	CERT Advisory CA-2002-23 - Multiple Vulnerabilities In OpenSSL
	http://www.cert.org/advisories/CA-2002-23.html

	AusCERT Alert AL-2002.06 - Apache Worm
	http://www.auscert.org.au/Information/Advisories/advisory/AL-2002.06.txt


	AusCERT will continue to monitor this issue, and provide more
	information as it becomes available.

- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                hours which are GMT+10:00 (AEST).  On call after hours
                for member emergencies only.
	
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPYNtIyh9+71yA2DNAQHZCQQAguYVKcWQe2pIyTLzX9PQcj8doUC6lYRD
VjEQQ5eC88CxuOg1n8IKlgEAdkeSS4J6jJHcfpfc0VMkowAlpDeWL0clG2yrRjS0
v51ZM7cmLBD4gWFNwPyEfpePk/6SqW+mc4bTsdpuio4Jz1PAQQg//cR6Te7COcAA
4+XNyjlMv5w=
=75Pk
-----END PGP SIGNATURE-----

This Alert was made available to non-members on 10 October 2002.