[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Hacked?
- Subject: Re: [cobalt-users] Hacked?
- From: Paul Warner <pwarner@xxxxxxxxxxxxxxxxxx>
- Date: Tue Sep 24 09:56:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> On Tue, 24 Sep 2002, Dave Thurman (Mailing List Email) wrote:
>
> > on 9/24/02 7:35 AM, Paul Warner stated:
> >
> > > [Tue Sep 24 03:01:12 2002] [error] [client xxx.xxx.xxx.xxx] client
sent
> > > HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
> > > [Tue Sep 24 03:01:12 2002] [error] [client xxx.xxx.xxx.xxx] client
sent
> > > HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
> > > [Tue Sep 24 03:01:12 2002] [error] [client xxx.xxx.xxx.xxx] client
sent
> > > HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
> > > [Tue Sep 24 03:01:12 2002] [error] [client xxx.xxx.xxx.xxx] client
sent
> > > HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
>
> The above are the Apache chunked exploit
>
> > > [Tue Sep 24 03:01:20 2002] [error] mod_ssl: SSL handshake failed
(server
> > > yyy.yyy.yyy.yyy:443, client xxx.xxx.xxx.xxx) (OpenSSL library error
follows)
> > > [Tue Sep 24 03:01:20 2002] [error] OpenSSL: error:1406908F:SSL
> > > routines:GET_CLIENT_FINISHED:connection id is different
> > > [Tue Sep 24 03:01:21 2002] [notice] child pid 27426 exit signal
Segmentation
> > > fault (11)
> >
> > I could be wrong, but isn't this the slapper worm broadcasting?
> >
> I think you are correct! aAnd I could be wrong also!!!
> look for /tmp/.bugtrac.c and /tmp/.bugtraq
>
> Gerald
> --
Thanks to all...there is no trace of the .bugtraq or .bugtrac.c in /tmp I
had thought that the 'BlowChunks' module/fix for Apache gave some indication
in the log that that was the cause...maybe the Cobalt/Sun patch negated
that...
A very grateful Paul