Re: More /sumthin

It's safe to assume that this "./openssl" is the openssl-too-open[1] mod_ssl exploit by Solar Eclipse. The "-a" switch is used to specify a target type. These target types are indeed listed by OS and apache version, not by OpenSSL version, because the exploit needs offset information for the specific target platform, for which the SSL version only is not sufficient. On the other hand, the combination of OS (or actually, distribution) and apache version is usually sufficient to guess the SSL version, although I don't know whether the exploit actually needs the exact SSL version number at all, in order to exploit it successfully.

Anyway, the error text in the handle_timeout() function (I quote, "Fuck it. Next..."), and the fact that stderr is used for output throughout the whole program, suggest that this http version grabber is being used as part of some mass scanner, which of course explains why so many people have seen the /sumthin stuff in their logs.

It looks like a very inefficient tool indeed, as it starts the exploit without doing a simple mod_ssl version check - especially considering the fact that mentioned exploit opens thirty connections to the target host by default, before even verifying that the target is vulnerable. Note, though, that the exploit terminates immediately if port 443 is not open; also, my guess is that the attacker or masshack program would have mass-synscanned for port 443 before actually trying to use this tool on potential targets.

Regards,

David

[1] http://packetstormsecurity.org/0209-exploits/openssl-too-open.tar.gz

• Original Message ----- From: "Jonathan A. Zdziarski" <jonathan@networkdweebs.com> To: "'Philipp Hug'" <securityfocus@hugit.ch>; "'Sverre H. Huseby'" <shh@thathost.com>; <incidents@securityfocus.com> Sent: Wednesday, February 26, 2003 10:14 PM Subject: RE: More /sumthin

Well whatever bugs this exploits, it seems that from the source code, it is more related to the version of Apache than it is the version of SSL; perhaps something to do with the way they interact. It doesn't even use port 443.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Also being that ./openssl was called and not just plain old openssl, and that -a doesn't appear to be a valid openssl command, it's probably calling a script of sorts and we have no idea what that script does.

> -----Original Message-----

<Pre>Lose another weekend managing your IDS? Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> Received on Thu Feb 27 10:23:25 2003