[cobalt-security] OpenSSL Worm in the wild....

["Rick Ewart" <cobalt@xxxxxxxxx>]

Perhaps I am stiring up something that isn't a problem, but I don't think
so.... Read the items below....

Looks like everyone better at least minimize the info given out by the
Server... To do so:
edit /etc/httpd/conf/httpd.conf
and add the following line:
ServerTokens ProductOnly

Then restart Apache...
/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start

HTH...
Rick

I got this from my CISSP list..... Sorry for the generic setup but they get
cranky if you quote names - it is a list for CISSPs only.
>> I have now seen a worm for the OpenSSL problems I reported a few weeks
>> back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should
>> be _seriously worried_.
>>
>> It appears to be exclusively targeted at Linux systems, but I wouldn't
>> count on variants for other systems not existing.

Someone from a REALLY BIG security vendor replied:
>The incident analysis team over here is examining this thing.  At first
>glance it looks reasonably sophisticated.  Looks to me like it exploits
>the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
>It seems to pick targets based on the "Server:" HTTP response field.
>[somebody] proposed a quick workaround of disabling ServerTokens or
>setting it to ProductOnly to turn away at least this version of the exploit
>until fixes can be applied.  Another thing to note is that it communicates
>with its friends over UDP / port 2002.
>
>I'd like to request IP addresses of hosts that have been compromised or
>that are currently attacking systems from anyone who is comfortable
>sharing this information.  We wish to run it through TMS (formerly
>known as ARIS) to see how quickly it is propagating.