sist3m's Technology & Security Rants

This is sist3m's personal profession blog. Covering security news, howto's, discussions, incidents vulnerability & discovery, including exploitation development..... and anything else I see fit to throw in there !

Saturday, 16 December 2006

Old SSL exploits still used in the wild

It seems that old (2003) exploits are still being used in the wild.

I woke up this morning to find the following in my Apache logs on my OpenBSD 4.0 i386 server:

200.175.20.52 - - [16/Dec/2006:04:16:28 +1100] "GET /sumthin HTTP/1.0" 404 277

The probe can from a Brazilian IP range.
Interesting ports on univel52.csc.gvt.net.br (200.175.20.52):
Not shown: 1673 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
631/tcp open ipp
1720/tcp filtered H.323/Q.931
3306/tcp open mysql
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.5 - 2.6.11
Uptime 16.163 days (since Thu Nov 30 06:03:23 2006)

The offending IP is a government box in Brazil. See nmap scan above. It's running a 2.6.x kernel ;)

Some additional info on the offending host:

$ telnet 200.175.20.52 22
Trying 200.175.20.52...
Connected to 200.175.20.52.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.8.1p1 Debian-8.sarge.4


The "GET /sumthin HTTP/1.0" is the signature of a mass Openssl scanner and exploiter. I have actually had the opportunity to play with this tool during my time at Deutsche Bank as a First Responder.

I found a great write up on this tool at LURHQ.

I can't clearly remember but the authors were either Polish or Indonesian. I believe I may have a copy of the tool somewhere. I will attempt to find it and post it here for analysis

What intrigues me is that this type of exploit is still being used at the end of 2006!

Labels: