Hosting Provided By

logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit...

From: Chuck Swiger <cswiger(at)mac.com>
Date: Mon Feb 10 2003 - 19:45:53 EST

Here are the relevant pieces of the Apache logfiles:

access_log:
65.211.112.6 - - [04/Feb/2003:16:17:30 -0500] "GET /mod_ssl:error:HTTP-request HTTP/1.0" 400 475 217.96.247.140 - - [05/Feb/2003:20:40:47 -0500] "GET /sumthin HTTP/1.0" 404 201
65.211.112.6 - - [06/Feb/2003:09:51:08 -0500] "GET /mod_ssl:error:HTTP-request HTTP/1.0" 400 475 24.52.162.226 - - [07/Feb/2003:01:46:31 -0500] "GET /sumthin HTTP/1.0" 404 201
196.41.30.38 - - [07/Feb/2003:12:37:45 -0500] "GET /sumthin HTTP/1.0" 404 201

ssl_request_log:
[04/Feb/2003:16:17:30 -0500] 65.211.112.6 - - "GET
/mod_ssl:error:HTTP-request HTTP/1.0" 475
[06/Feb/2003:09:51:08 -0500] 65.211.112.6 - - "GET
/mod_ssl:error:HTTP-request HTTP/1.0" 475

error_log:
[Tue Feb 4 05:01:54 2003] [error] [client 217.235.56.30] File does not
exist: /opt/apache/htdocs/sumthin
[Tue Feb 4 16:17:30 2003] [error] mod_ssl: SSL handshake failed: HTTP
spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows)
[Tue Feb 4 16:17:30 2003] [error] OpenSSL: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?]
[Wed Feb 5 02:37:29 2003] [error] [client 61.102.208.208] File does not
exist:/opt/apache/htdocs/sumthin
[Thu Feb 6 09:51:08 2003] [error] mod_ssl: SSL handshake failed: HTTP
spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows)
[Thu Feb 6 09:51:08 2003] [error] OpenSSL: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?]
[Fri Feb 7 01:46:31 2003] [error] [client 24.52.162.226] File does not
exist: /opt/apache/htdocs/sumthin
[Fri Feb 7 11:12:30 2003] [error] [client 62.110.124.190] Client sent
malformed Host header
[Fri Feb 7 12:37:45 2003] [error] [client 196.41.30.38] File does not
exist: /opt/apache/htdocs/sumthin

ssl_engine_log:
[04/Feb/2003 05:01:52 14857] [info] Connection to child 8 established
(server xxxxx.com:443, client 217.235.56.30)
[04/Feb/2003 05:01:52 14857] [info] Seeding PRNG with 1672 bytes of entropy
[04/Feb/2003 05:01:52 14857] [info] Spurious SSL handshake
interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[05/Feb/2003 20:41:09 00431] [info] Connection to child 0 established
(server xxxxx.com:443, client 217.96.247.140)
[05/Feb/2003 20:41:09 00431] [info] Seeding PRNG with 1672 bytes of entropy
[05/Feb/2003 20:41:09 00431] [info] Spurious SSL handshake
interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[06/Feb/2003 09:51:08 00435] [info] Connection to child 4 established
(server xxxxx.com:443, client 65.211.112.6)
[06/Feb/2003 09:51:08 00435] [info] Seeding PRNG with 1672 bytes of entropy
[06/Feb/2003 09:51:08 00435] [error] SSL handshake failed: HTTP spoken
on HTTPS port; trying to send HTML error page (OpenSSL library error follows)
[06/Feb/2003 09:51:08 00435] [error] OpenSSL: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?]
[07/Feb/2003 01:46:31 00431] [info] Connection to child 0 established
(server xxxxx.com:443, client 24.52.162.226)
[07/Feb/2003 01:46:31 00431] [info] Seeding PRNG with 1672 bytes of entropy
[07/Feb/2003 01:46:31 00431] [info] Spurious SSL handshake
interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[07/Feb/2003 12:37:45 00435] [info] Connection to child 4 established
(server xxxxx.com:443, client 196.41.210.22)
[07/Feb/2003 12:37:45 00435] [info] Seeding PRNG with 1672 bytes of entropy
[07/Feb/2003 12:37:45 00435] [info] Spurious SSL handshake
interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[09/Feb/2003 08:32:03 00913] [info] Connection to child 5 established
(server xxxxx.com:443, client 210.70.26.71)
[09/Feb/2003 08:32:04 00913] [info] Seeding PRNG with 1672 bytes of entropy
[09/Feb/2003 08:32:04 00913] [info] Spurious SSL handshake
interrupt[Hint: Usually just one of those OpenSSL confusions!?]

Three of the apache child processes became wedged, which alerted a monitoring system on Friday (2003/2/7). It looks like the intruder may have gained access as the user apache runs as, and attempted to create or look for a file (not successfully). No other signs of problems; server rebuilt 2003/2/9 against apache-1.3.27 + openssl-0.9.7.

-Chuck

PS: The machine has detailed monitoring in place, but even so, this incident didn't cause a lot of noise. Certainly not when compared to the logging info generated from ~8000 attempted IIS probes per month....

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Feb 10 23:04:45 2003

Do you need help?

This message: [ Message body ]
Next message: Patrick Bryant: "Re: Identity theft scam against eBay users"
Previous message: Thierry Zoller: "RE: Increased Kuang2 activity"
Next in thread: Richard Rager: "Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit..."
Reply: Richard Rager: "Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit..."
Reply: root(at)darks: "Re: logfiles of openssl-0.9.6e + GET_CLIENT_HELLO exploit..."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:58 EDT