[lug] openssl vulnerability

[Michael Hirsch]

On Sat, 2002-09-21 at 12:06, D. Stimits wrote:
> Just thought I'd pass something along that I've seen some notice of 
> lately. There is a vulnerability in non-upgraded openssl package, which 
> is not really news. However, there were a couple of interesting points I 
> found that might be useful. One is that "ELF_SLAPPER.A" seems to have as 
> its purpose distributed DoS. Second, file ".bugtraq.c" will be found in 
> /tmp/ if the worm is on the system. Third, it only has the privileges of 
> the Apache user. Fourth, and the part which might be most interesting, 
> is that the worm first uses an invalid GET request on port 80 to 
> determine if this is an Apache machine; then it hits port 443 to do what 
> it does. If you see logs of someone hitting port 80 with an erroneous 
> GET request, then port 443 immediately after, probably you are being 
> tested for attack. Also, I recall seeing somewhere a claim that 
> disabling SSL2 would solve this, but it seems that SSL3 has a slightly 
> different means of attacking (all of course on outdated openssl).

We got hit with this worm last week.  What we've figured out is that 

1. The RedHat updates to modssl seem to fix the vulnerability

2. It is not a very malicious or powerful worm.  It does little harm,
doesn't install any back doors, doesn't restart after a reboot, etc.

3. as root, "touch /tmp/.bugtraq.c" should prevent the infection in the
first place.

4. The previous hint only stops this infection, it by no means closes
the vulnerability. 

--Michael