Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 1080, 3127 and 3128; Apache-SSL Optional Client Certificate Vulnerability SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 1080, 3127 and 3128; Apache-SSL Optional Client Certificate Vulnerability
Port 1080, 3127 and 3128

There has been an increase of attempts directed at port 1080, 3127 and 3128 for the past few days. At this point of time, no firm conclusion can be made on these activities.


F-Secure reported a new worm (Vesser) that might be responsible for these activities. This worm spreads through the backdoor of Mydoom and SoulSeek P2P program. As reported, it will remove Mydoom backdoor on infected machines. It contains an IRC-based backdoor and HTTP proxy:

http://www.f-secure.com/v-descs/vesser.shtml


Symantec's W32.HLLW.Deadhat writeup:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.deadhat.html
NAI also calls it Deadhat:

http://vil.nai.com/vil/content/v_101000.htm

Let us know if you have further details on this worm.


Apache-SSL optional client certificate vulnerability

A vulnerability is reported in Apache-SSL optional client certificate configuration. If configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate.

The vendor has issued a fixed version of Apache-SSL (1.3.29+1.53):

http://www.apache-ssl.org/advisory-20040206.txt
Kevin

32 Posts

Sign Up for Free or Log In to start participating in the conversation!