Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-02-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 1080, 3127 and 3128; Apache-SSL Optional Client Certificate Vulnerability

Published: 2004-02-07
Last Updated: 2004-02-08 03:26:22 UTC
by Kevin Hong (Version: 1)
0 comment(s)
Port 1080, 3127 and 3128

There has been an increase of attempts directed at port 1080, 3127 and 3128 for the past few days. At this point of time, no firm conclusion can be made on these activities.


F-Secure reported a new worm (Vesser) that might be responsible for these activities. This worm spreads through the backdoor of Mydoom and SoulSeek P2P program. As reported, it will remove Mydoom backdoor on infected machines. It contains an IRC-based backdoor and HTTP proxy:

http://www.f-secure.com/v-descs/vesser.shtml


Symantec's W32.HLLW.Deadhat writeup:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.deadhat.html
NAI also calls it Deadhat:

http://vil.nai.com/vil/content/v_101000.htm

Let us know if you have further details on this worm.


Apache-SSL optional client certificate vulnerability

A vulnerability is reported in Apache-SSL optional client certificate configuration. If configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate.

The vendor has issued a fixed version of Apache-SSL (1.3.29+1.53):

http://www.apache-ssl.org/advisory-20040206.txt
Keywords:
0 comment(s)
Diary Archives