[Dshield] Increased HTTPS scans

Andreas Östling andreaso at it.su.se
Fri Sep 13 21:09:25 GMT 2002


On Fri, 13 Sep 2002, Mike Morrell wrote:

>   Is their a new vulnerability out for HTTPS?  I have seen a small
> increase in HTTPS scans that directly correspond to similar increases
> seen in the Dshield reports (
> http://www.dshield.org/port_report.php?port=443 ).  It does not appear
> that they are tied directly to some general increase in port 80 scans (
> http://www.dshield.org/port_report.php?port=80 ).
>   I do not have an IDS running so I am only catching what my firewall logs
> see.
>
>
> Mike

Check the recent posts on Bugtraq. There is an SSL/Apache out there.

I've also noted increased 443/tcp activity.
However, not all 443/tcp scans are worm traffic.
I sent this to another list:

While I've not yet seen any worm activity, I thought I'd mention that
yesterday, we detected a successful non-worm break-in on a Linux machine
(Mandrake with Apache 1.3.20) where a flaw was exploited over SSL
(perhaps the same flaw that the worm uses). It was detected by having
Snort watch for certain cleartext strings in 443/tcp traffic (see
snort-sigs list archive). Argus logs also exist, if anyone is interested.

Does anyone have any Apache logs showing a successful break-in of the
worm? On the cracked Linux machine, this could be found in ssl_engine_log:

[12/Sep/2002 15:26:20 28181] [info]  Connection: Client IP: attacker_ip, Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits)
[12/Sep/2002 15:26:20 28182] [error] SSL handshake failed (server victim_ip:443, client attacker_ip) (OpenSSL library error follows)
[12/Sep/2002 15:26:20 28182] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different
[12/Sep/2002 15:31:11 06311] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
[12/Sep/2002 15:31:11 09981] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
...
[12/Sep/2002 15:31:11 24305] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
[12/Sep/2002 15:31:12 28162] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28163] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28164] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:12 28145] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
[12/Sep/2002 15:31:13 28165] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28166] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28167] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28168] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:12 28146] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
[12/Sep/2002 15:31:13 28178] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28177] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
...
[12/Sep/2002 15:31:13 28172] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28181] [info]  Connection to child 30 closed with standard shutdown (server victim_ip:443, client attacker_ip)


And then eth0 entered promiscuous mode (dsniff was installed), attacker_ip
logs in via a backdoor etc.


Regards,
Andreas Östling




More information about the list mailing list