On April 11, 2014 6:45:54 AM EDT, "Vojtěch Zeisek" <vojtech.zeisek@opensuse.org> wrote:
Dear openSUSE on-line friend, how do You test Your servers to ensure they weren't compromised? I have to say I have no idea at all... :-/ Good luck, Vojtěch
It's not easy: - check to see if you even had the vulnerable library installed. By default, opensuse 12.1 and before only had an older openSSL, 12.2 and newer had a vulnerable version. Macs by default have an older version. MacPorts had the vulnerable version. - if vulnerable, the best place to look is in a DLP network traffic recorder. Some big companies record all internet traffic and keep it for weeks or months. The packet signature for this seems pretty straight forward now it is known. - 99% of of setups, don't have a separate DLP, but some do have wireshark or tcpdump recordings right off their server. If you happen to have those, search them for the packet signature. Even if you only have a minimal amount of these, I would search them. - the vulnerability allowed failed authentication requests to pull 64KB sections of ram. I'm guessing a bad would issue hundreds of thousands of failed authentication requests from the same IP expecting to get different data to sort through. So look through your authentication logs and if you don't see that pattern and if your logs go back in time to when you started running openSSL v1.0.1, you should be good. Unfortunately the vast majority of servers don't have tcp traffic dumps to review, and the failed login attempts signature is extremely common even without this attack, so seeing it means little. Thus for many opensuse users running a server, there is no way to know. On the other hand, I assume the opensuse evergreen users are safe from this problem. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org