[27122] in bugtraq
Re: Linux Slapper Worm
daemon@ATHENA.MIT.EDU (Miroslaw Jaworski)
Thu Sep 19 15:51:29 2002
Date: Thu, 19 Sep 2002 10:03:32 +0200
From: Miroslaw Jaworski <mjaw@ipartners.pl>
To: Ajai Khattri <ajai@bitblit.net>
Message-ID: <20020919080332.GC69971@quad.ikp.pl>
Mail-Followup-To: Miroslaw Jaworski <mjaw@ipartners.pl>,
Ajai Khattri <ajai@bitblit.net>, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
In-Reply-To: <3D88AEC5.8060500@bitblit.net>
* Ajai Khattri (ajai@bitblit.net) [020919 09:02] wrote:
> Not seeing any announcement from my vendor (and not wanting to compile
> SSL from source),
> I set out to see if there was some way of avoiding being infected in the
> first place. I decided to hack my Apache (1.3.26) source code to send a
> bogus Server: header
...and you're still vulnerable.
Don't forget mod_ssl and openssl show their versions if you talk to
SSL-enabled apache ( src/modules/ssl/ssl_engine_init.c,
ap_add_version_component ).
So whether another kiddie compile PUD code changing it not to look
for 'Apache', but 'mod_ssl|open_ssl' - you're dead.
Not mentioning another, who won't check server response, but will send
all exploits to every 80 port opened - you're dead too.
Someone can read your "fix", apply it, and think he's safe. Giving
such "advices" _can_ made whole situation worse - some people out there
will look for all this "Slapper thing" with smiles thinking they're patched.
Go patch the real hole.
Regards
MJ.
--
Miroslaw.Jaworski@ipartners.pl ( Psyborg ) MJ102-RIPE Internet Partners
Server Administration Department Manager
