[Dshield] openssl...

James C. Slora, Jr. Jim.Slora at phra.com
Mon Sep 16 17:23:25 GMT 2002


I think Johannes had it right - the situation is complex. The virus warning
is useful and may explain some people's traffic. But definitely don't count
on anti-virus products as the main line of defense.

I've had four tcp 443 connect sources that scanned my tiny network over the
past 4 days. 3 of them are from either a worm (but not Slapper) or a tool
based on synscan 1.9, and one of them was part of an aggressive multi-port
scan.

None of my traffic has matched Slapper's behavior so far (no port 80
connects precede the 443 attempts), but 443 has suddenly gotten pretty
popular.

Patrick Andry wrote Sat, 14 Sep 2002 07:21:54 -0400
> >From Sophos...
>
> Name: Linux/Slapper-A
> Type: Linux worm
> Date: 14 September 2002
>
> A virus identity file (IDE) which provides protection is
> available now from our website and will be incorporated into the
> November 2002 (3.63) release of Sophos Anti-Virus.
>
> At the time of writing Sophos has received no reports from users
> affected by this worm. However, we have issued this advisory
> following enquiries to our support department from customers.
>
> More information about Linux/Slapper-A can be found at
> http://www.sophos.com/virusinfo/analyses/linuxslappera.html
>
>
>
> Johannes Ullrich wrote:
>
> >ok. the openssl situation is getting a bit harder to analyze. Based
> >on several notes, I would recommend that people will turn off any
> >ssl services you do not need, and for apache with mod_ssl, add the
> >following line to your config file to disable sslv2:
> >
> >SSLProtocol all -SSLv2
> >SSLCipherSuite
> >ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2
> >:+
> >EXP:+eNULL
> >
> >I am not absolutly sure if it helps, but I don't think it will make
> >things worse.




More information about the list mailing list