[lug] openssl vulnerability

D. Stimits stimits at attbi.com
Sun Sep 22 13:24:20 MDT 2002 

j davis wrote:
> i added thiese rules for the ssl vuln...this is based on the rules
> posted at snort.org to pick up connections to the uploaded c-code dos 
> client.
> 
> jd
> 
> /sbin/iptables -A INPUT -i eth0 -p udp --dport 2002 -j LOG 
> --log-prefix="SSL VULN:"
> /sbin/iptables -A INPUT -i eth0 -p udp --sport 2002 -j LOG 
> --log-prefix="SSL VULN:"
> /sbin/iptables -A INPUT -i eth0 -p udp --dport 2002 -j DROP
> /sbin/iptables -A INPUT -i eth0 -p udp --sport 2002 -j DROP
> 
> /sbin/iptables -A FORWARD -i eth1 -p udp --dport 2002 -j LOG 
> --log-prefix="SSL VULN:"
> /sbin/iptables -A FORWARD -i eth1 -p udp --sport 2002 -j LOG 
> --log-prefix="SSL VULN:"
> /sbin/iptables -A FORWARD -o eth0 -p udp --dport 2002 -j LOG 
> --log-prefix="SSL VULN OUT:"
> /sbin/iptables -A FORWARD -o eth0 -p udp --sport 2002 -j LOG 
> --log-prefix="SSL VULN OUT:"
> /sbin/iptables -A FORWARD -i eth1 -p udp --dport 2002 -j DROP
> /sbin/iptables -A FORWARD -i eth1 -p udp --sport 2002 -j DROP
> /sbin/iptables -A FORWARD -o eth0 -p udp --dport 2002 -j DROP
> /sbin/iptables -A FORWARD -o eth0 -p udp --sport 2002 -j DROP
> 

I'm curious, why port 2002? Is that something the crackers are known to 
use for backdoor? I wouldn't think source of 2002 would matter either 
way, but there is no telling what a cracker would want to do without see 
ing their actual code.

D. Stimits, stimits AT attbi.com

PS: I should switch to iptables instead of ipchains, if for no other 
reason than the --log-prefix. My system is entirely cut off from 
incoming, other than auth, so I don't see other advantages in iptables 
over ipchains just to block the world out...but good logging is hard to 
beat.

> 
> 
> 
> 
> 
>> From: "D. Stimits" <stimits at attbi.com>
>> Reply-To: lug at lug.boulder.co.us
>> To: BLUG <lug at lug.boulder.co.us>
>> Subject: [lug] openssl vulnerability
>> Date: Sat, 21 Sep 2002 10:06:04 -0600
>>
>> Just thought I'd pass something along that I've seen some notice of 
>> lately. There is a vulnerability in non-upgraded openssl package, 
>> which is not really news. However, there were a couple of interesting 
>> points I found that might be useful. One is that "ELF_SLAPPER.A" seems 
>> to have as its purpose distributed DoS. Second, file ".bugtraq.c" will 
>> be found in /tmp/ if the worm is on the system. Third, it only has the 
>> privileges of the Apache user. Fourth, and the part which might be 
>> most interesting, is that the worm first uses an invalid GET request 
>> on port 80 to determine if this is an Apache machine; then it hits 
>> port 443 to do what it does. If you see logs of someone hitting port 
>> 80 with an erroneous GET request, then port 443 immediately after, 
>> probably you are being tested for attack. Also, I recall seeing 
>> somewhere a claim that disabling SSL2 would solve this, but it seems 
>> that SSL3 has a slightly different means of attacking (all of course 
>> on outdated openssl).

More information about the LUG mailing list