Hosting Provided By

Re: /sumthin Revisited

From: Michael Katz <mike(at)procinct.com>
Date: Tue Jan 07 2003 - 18:01:10 EST

At 1/7/2003 02:12 PM, Sverre H. Huseby wrote:

>I'm adding some info to my previous reply:

Based on the information supplied in the headers below, it looks to me like it's likely a variation of the slapper worm that has infected a number of Apache systems that 1) use an older version of OpenSSL and 2) announce it in the HTTP server header. If you have a vulnerable Apache server running OpenSSL with port 443 accessible, you'd likely see a subsequent connection to the SSL server (and you may already be infected).

This modified worm likely uses the GET /sumthin request to see the server header response from the web server and then attacks those web servers that appear vulnerable.

>Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2

Michael Katz
mike@procinct.com
Procinct Security

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Jan 7 18:42:21 2003

This message: [ Message body ]
Next message: rsavage(at)nandomedia.com: "Re: Possible google hack"
Previous message: Jonathan A. Zdziarski: "RE: /sumthin Revisited"
In reply to Sverre H. Huseby: "Re: /sumthin Revisited"
Next in thread: noconflic: "Re: /sumthin Revisited"
Reply: noconflic: "Re: /sumthin Revisited"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:55 EDT

Do you need help?