Hit! - OpenSSLi/Apache worm in the wild
Joe Elliott
joe at inetd.com
Sun Sep 15 14:43:00 EDT 2002
Hi Guys,
Look out below. I got hit at 6:30 friday nite. It uses apache to
place a uuencoded c prog in /tmp/.uubugtraq -> /tmp/.bugtraq.c
After compiling it runs the program and starts opening as many conections
as it can to other computers on your subnets.
tcp 0 1 63.194.89.163:40695 182.178.217.125:80 SYN_SENT
tcp 0 1 63.194.89.163:40631 182.178.217.61:80 SYN_SENT
tcp 0 1 63.194.89.163:40572 182.178.217.2:80 SYN_SENT
tcp 0 1 63.194.89.163:40636 182.178.217.66:80 SYN_SENT
tcp 0 1 63.194.89.163:40573 182.178.217.3:80 SYN_SENT
tcp 0 1 63.194.89.163:40637 182.178.217.67:80 SYN_SENT
tcp 0 1 63.194.89.163:40570 182.178.217.0:80 SYN_SENT
tcp 0 1 63.194.89.163:40634 182.178.217.64:80 SYN_SENT
tcp 0 1 63.194.89.163:40571 182.178.217.1:80 SYN_SENT
tcp 0 1 63.194.89.163:40635 182.178.217.65:80 SYN_SENT
tcp 0 1 63.194.89.163:40640 182.178.217.70:80 SYN_SENT
tcp 0 1 63.194.89.163:40576 182.178.217.6:80 SYN_SENT
tcp 0 1 63.194.89.163:40641 182.178.217.71:80 SYN_SENT
tcp 0 1 63.194.89.163:40577 182.178.217.7:80 SYN_SENT
tcp 0 1 63.194.89.163:40574 182.178.217.4:80 SYN_SENT
By the slowdown in internet performance since yesterday, my guess is that this
has hit many people.
I am running Linux version 2.4.2-2 gcc version 2.96 20000731
(Red Hat Linux 7.1 2.96-79)
Here is the C code snippet of the virus in my ./tmp file
/****************************************************************************
* *
* Peer-to-peer UDP Distributed Denial of Service (PUD) *
* by contem at efnet *
* *
* Virtually connects computers via the udp protocol on the *
* specified port. Uses a newly created peer-to-peer protocol that *
* incorperates uses on unstable or dead computers. The program is *
* ran with the parameters of another ip on the virtual network. If *
* running on the first computer, run with the ip 127.0.0.1 or some *
* other type of local address. Ex: *
* *
* Computer A: ./program 127.0.0.1 *
* Computer B: ./program Computer_A *
* Computer C: ./program Computer_A *
* Computer D: ./program Computer_C *
* *
* Any form of that will work. The linking process works by *
* giving each computer the list of avaliable computers, then *
* using a technique called broadcast segmentation combined with TCP *
* like functionality to insure that another computer on the network *
* receives the broadcast packet, segments it again and recreates *
* the packet to send to other hosts. That technique can be used to *
* support over 16 million simutaniously connected computers. *
* *
* Thanks to ensane and st for donating shells and test beds *
* for this program. And for the admins who removed me because I *
* was testing this program (you know who you are) need to watch *
* their backs. *
* *
* I am not responsible for any harm caused by this program! *
* I made this program to demonstrate peer-to-peer communication and *
* should not be used in real life. It is an education program that *
* should never even be ran at all, nor used in any way, shape or *
* form. It is not the authors fault if it was used for any purposes *
* other than educational. *
* *
****************************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdarg.h>
#include <sys/ioctl.h>
--
__o _~o __o
`\<, `\<, `\<,
______________________________________(*)/_(*)__(*)/_(*)__(*)/_(*)________
Im a 21st Century Digital Boy ... I aint got a life, but I got lotsa toys.
******************* Joe Elliott joe at inetd.com ********************
Phone:(650)961-6631 Cell:(650)714-3932 Inetd.Com http://inetd.com
--------------------------------------------------------------------------
On Fri, 13 Sep 2002, Andreas Östling wrote:
> Date: Fri, 13 Sep 2002 23:04:47 +0200 (CEST)
> From: Andreas Östling <andreaso at it.su.se>
> To: unisog at sans.org
> Cc: argus <argus-info at lists.andrew.cmu.edu>, da at securityfocus.com
> Subject: Re: [unisog] Re: OpenSSL worm in the wild
>
>
> > > I'd like to request IP addresses of hosts that have been compromised or
> > > that are currently attacking systems from anyone who is comfortable
> > > sharing this information. We wish to run it through TMS (formerly
> > > known as ARIS) to see how quickly it is propagating.
> ...
>
> While I've not yet seen any worm activity, I thought I'd mention that
> yesterday, we detected a successful non-worm break-in on a Linux machine
> (Mandrake with Apache 1.3.20) where a flaw was exploited over SSL
> (perhaps the same flaw that the worm uses). It was detected by having
> Snort watch for certain cleartext strings in 443/tcp traffic (see
> snort-sigs list archive). Argus logs also exist, if anyone is interested.
>
> Does anyone have any Apache logs showing a successful break-in of the
> worm? On the cracked Linux machine, this could be found in ssl_engine_log:
>
> [12/Sep/2002 15:26:20 28181] [info] Connection: Client IP: attacker_ip, Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits)
> [12/Sep/2002 15:26:20 28182] [error] SSL handshake failed (server victim_ip:443, client attacker_ip) (OpenSSL library error follows)
> [12/Sep/2002 15:26:20 28182] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different
> [12/Sep/2002 15:31:11 06311] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
> [12/Sep/2002 15:31:11 09981] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
> ...
> [12/Sep/2002 15:31:11 24305] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
> [12/Sep/2002 15:31:12 28162] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [12/Sep/2002 15:31:13 28163] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [12/Sep/2002 15:31:13 28164] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [12/Sep/2002 15:31:12 28145] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
> [12/Sep/2002 15:31:13 28165] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [12/Sep/2002 15:31:13 28166] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [12/Sep/2002 15:31:13 28167] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [12/Sep/2002 15:31:13 28168] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [12/Sep/2002 15:31:12 28146] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
> [12/Sep/2002 15:31:13 28178] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [12/Sep/2002 15:31:13 28177] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> ...
> [12/Sep/2002 15:31:13 28172] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
> [12/Sep/2002 15:31:13 28181] [info] Connection to child 30 closed with standard shutdown (server victim_ip:443, client attacker_ip)
>
>
> And then eth0 entered promiscuous mode (dsniff was installed), attacker_ip
> logs in via a backdoor etc.
>
>
> Regards,
> Andreas Östling
>
>
More information about the argus
mailing list