The combination of a known vulnerability in the OpenSSL protocol implementation
and a new worm that exploits this vulnerability is wreaking havoc for Apache Web
server administrators. In the worst-case scenario, the worm takes over servers
and launches a distributed denial of service (DDoS) attack, but the worm can
also compromise data on the server.Details
Thousands of systems have already been compromised by this threat to Linux Apache Web servers due to a vulnerability (VU#102795) found in OpenSSL 0.9.6d or earlier. The worm that exploits this vulnerability is variously known as Slapper, Apache/mod_ssl Worm, bugtrac.c, and linux.slapper. The reason this worm is sometimes designated as bugtrac.c is that the source code is placed in /tmp/.bugtrac.c. Symantec identifies it as the Linux.Slapper.Worm.
According to the CERT Bulletin CA-2002-27, the worm spreads by first scanning TCP port 80 using an invalid HTTP GET request to locate potentially vulnerable systems. Next, the worm attempts to connect to SSL services through TCP port 443, placing the worm code in the system if it succeeds.
The Symantec alert on this vulnerability reports finding the infection on Red Hat, SuSE, Slackwave, Debian, and Mandrake Apache installations. It also identifies the invalid HTTP request as being in this form: ”GET / HTTP/1.1\r\n\r\n.” The report details a typical Apache Server response to the probe and provides more information that may be of interest if you are initiating a forensic analysis.
An infected system will launch a DDoS attack by establishing communication through UDP port 2002. (According to Symantec, the .B variant of the worm uses port 1978, and the .C variant uses 4156.) This attack slows the systems, but also can be used to share data between the newly formed peer-to-peer networks that the worm creates.
To see whether your systems have been compromised, look for traffic on or monitoring of UDP port 2002. You can identify an initial attack by looking for scans on TCP port 80.
Probes will probably be logged as GET/HTTP/1.1, but the presence of this or similar notation is not proof that a system has been compromised. It merely indicates that an attack has been attempted, and completely innocent events may result in similar log entries. The absence of such activity in the log usually means that your system hasn’t been targeted yet.
Applicability
According to CERT, "Versions of OpenSSL servers prior to 0.9.6e and prerelease version 0.9.7-beta2 contain a remotely exploitable buffer overflow vulnerability. This vulnerability can be exploited by a client using a malformed key during the handshake process with an SSL server connection using the SSLv2 communication process."
The OpenSSL vulnerability itself, as opposed to the Slapper worm attack, affects a great many systems, which are listed at VU#102795. Apache is listed here, but the vulnerability potential is marked as unknown, so even the few vendor systems that may still be listed at that site as having an unknown status should be viewed with suspicion. Lotus and Inktomi are the only companies whose products are actually listed on that site as “not vulnerable.”
You'll find a list of all known affected systems, including specific version numbers, here. This huge list includes many Windows systems that are affected by the SSLv2 buffer overflow vulnerability but not by the Slapper Worm attack.
Windows and Macintosh systems, as well as Linux and UNIX systems not hosted on Intel x86 hardware, are not vulnerable to this specific worm attack, but most or all Apache servers running on any platform do have the same underlying SSLv2 flaw unless they use a very recent version of OpenSSL.
Play video
There are currently no comments for this post.