[lug] openssl vulnerability

j davis davis_compz at hotmail.com
Sun Sep 22 09:50:58 MDT 2002 

i added thiese rules for the ssl vuln...this is based on the rules
posted at snort.org to pick up connections to the uploaded c-code dos 
client.

jd

/sbin/iptables -A INPUT -i eth0 -p udp --dport 2002 -j LOG --log-prefix="SSL 
VULN:"
/sbin/iptables -A INPUT -i eth0 -p udp --sport 2002 -j LOG --log-prefix="SSL 
VULN:"
/sbin/iptables -A INPUT -i eth0 -p udp --dport 2002 -j DROP
/sbin/iptables -A INPUT -i eth0 -p udp --sport 2002 -j DROP

/sbin/iptables -A FORWARD -i eth1 -p udp --dport 2002 -j LOG 
--log-prefix="SSL VULN:"
/sbin/iptables -A FORWARD -i eth1 -p udp --sport 2002 -j LOG 
--log-prefix="SSL VULN:"
/sbin/iptables -A FORWARD -o eth0 -p udp --dport 2002 -j LOG 
--log-prefix="SSL VULN OUT:"
/sbin/iptables -A FORWARD -o eth0 -p udp --sport 2002 -j LOG 
--log-prefix="SSL VULN OUT:"
/sbin/iptables -A FORWARD -i eth1 -p udp --dport 2002 -j DROP
/sbin/iptables -A FORWARD -i eth1 -p udp --sport 2002 -j DROP
/sbin/iptables -A FORWARD -o eth0 -p udp --dport 2002 -j DROP
/sbin/iptables -A FORWARD -o eth0 -p udp --sport 2002 -j DROP






>From: "D. Stimits" <stimits at attbi.com>
>Reply-To: lug at lug.boulder.co.us
>To: BLUG <lug at lug.boulder.co.us>
>Subject: [lug] openssl vulnerability
>Date: Sat, 21 Sep 2002 10:06:04 -0600
>
>Just thought I'd pass something along that I've seen some notice of lately. 
>There is a vulnerability in non-upgraded openssl package, which is not 
>really news. However, there were a couple of interesting points I found 
>that might be useful. One is that "ELF_SLAPPER.A" seems to have as its 
>purpose distributed DoS. Second, file ".bugtraq.c" will be found in /tmp/ 
>if the worm is on the system. Third, it only has the privileges of the 
>Apache user. Fourth, and the part which might be most interesting, is that 
>the worm first uses an invalid GET request on port 80 to determine if this 
>is an Apache machine; then it hits port 443 to do what it does. If you see 
>logs of someone hitting port 80 with an erroneous GET request, then port 
>443 immediately after, probably you are being tested for attack. Also, I 
>recall seeing somewhere a claim that disabling SSL2 would solve this, but 
>it seems that SSL3 has a slightly different means of attacking (all of 
>course on outdated openssl).
>
>D. Stimits, stimits AT attbi.com
>
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug


thanks,
jd

jd at taproot.bz           |  "MORE INPUT!"  |
http://www.taproot.bz   |    Johnny 5     |

-Dope smokers make the net go round-
             Me  (early 96 while gigglie from
                      ratstafarian blend)

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

More information about the LUG mailing list