Hi Thomas
From: Thomas Langfeld [mailto:opa.thomas@fhtw-berlin.de] Hi,
we are running suse 7.3 and apache 1.3.20 with mod_ssl
Last week it happened: - webserver down - apache could not be restarted - error-log: '[crit] (98)Address already in use: make_sock: could not bind to port 443'
Try "lsof | grep :https". Or use "netstat -anp" to check which binary locks port 443. You can check whether https is working or not with the following command: # openssl s_client -connect localhost:443 -state -debug GET / HTTP/1.0
So, lets look, what wwwrun is doing: - a 'ps aux | grep wwwrun' showed nothing - but: 'top' and 'uwwwrun' showed some processes 'eggdrop' running by user 'wwwrun' -> maybe a rootkit which replaced '/usr/bin/ps' ??? - a portscan revealed open tcp-port 6667
Eggdrop is an IRC-daemon. Take a look at http://www.eggheads.org/. It would be a very clumsy rootkit leaving out top ...
1. question: Does anybody know, what's the reason for that ?!?
We suggested, it could by ssl-worm slapper, but it usually opens udp-ports and not tcp 6667
Maybe this is not connected to the attack at all. 6667 is IRC: ircd 6667/tcp # Internet Relay Chat ircd 6667/udp # Internet Relay Chat
2. question: In Apache 1.3.27 all known security-holes are fixed.
But there is no RPM for suse 7.3. There is only a package with version 1.3.20-77 So, we don't know, if in this package all that security-holes are fixed ?
SuSE uses the latest patches to close known bugs. They do not change the major and minor release-numbers (or versions) to maintain package-dependencies. If you go with the last packages all known bugs should be fixed. Have a look at http://www.suse.de/de/security/index.html
The same for mod_ssl / OpenSSL ?
Yes.
So, we don't know, when we install the latest Suse-RPM's, are we protected against the above attack??
You will be protected agains known exploits and known hacks.
Anybody who can answer the questions ?
Do you use tripwire? Do you have MD5-sums of your files? Check wich files have changed, especially files in /bin, /sbin, /usr/bin and /usr/sbin.
Thx, Thomas
You're welcome. Stefan