OpenSSL Problems

[quote:c7b35f2dc9][i:c7b35f2dc9]Originally posted by bert[/i:c7b35f2dc9]

Apache is going down on two of our servers every few hours, it does not restart on its own, so chkservd restarts it, the error log is showing these errors:

[error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
[warn] pid file /usr/local/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[crit] (98)Address already in use: make_sock: could not bind to port 443

Could this be related to the new OpenSSL worm? Any thoughts?
[/quote:c7b35f2dc9]
What is your Red Hat version?
Also what is your OpenSSL release?
try this
rpm -qa openssl*

 

Search your log files Do you have some like these tracks:

[13/Sep/2002 21:22:03 17376] [error] SSL handshake failed (server
host.domain.com:443, client xxx.xxx.xxx.xxx) (OpenSSL library error
follows)
[13/Sep/2002 21:22:03 17376] [error] OpenSSL: error:1406B458:SSL
routines:GET_CLIENT_MASTER_KEY:key arg too long

 

[quote:bfe54dee58][i:bfe54dee58]Originally posted by bert[/i:bfe54dee58]

Yes!

[Sun Sep 22 09:38:10 2002] [error] mod_ssl: SSL handshake failed (server server18.pronicsolutions.com:443, client 62.31.248.32) (OpenSSL library error follows)
[Sun Sep 22 09:38:10 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long

On both servers.[/quote:bfe54dee58]
Unfortunately these are tracks of Slapper worm virus, but don't worry I'll help you.

It uses buffer overflow for DoS attack.

But did your apache fail after those tracks of errors?

 

First if you have other boxes
pico /etc/httpd/conf/httpd.conf

And put this line in it

ServerTokens ProductOnly

Restart Apache,

These two servers were using the latest patched builds by Red Hat but they infected, may be a newer version of that worm or weakness in patches first we have to find this,

Did you install latest buildapache.sea?

 

[quote:a61351e0b6][i:a61351e0b6]Originally posted by bert[/i:a61351e0b6]

Hmmm. You mean they are infected? Any tips on removing the worm?

I run buildapache about a week ago when the worm first came out, it is the one before the latest I believe.[/quote:a61351e0b6]

May be, but if you want to make sure, install the latest buildapache.sea, then re-install your current openssl RPM packages from Red Hat, reboot your system and wait for an Apache server down then let me know that error.

 

Bert,

in a Root SSH session use this command:

find /tmp -name '.bug*'

and let me know if you have these files

If you haven't these file you are not infected.

/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/.bugtraq


Also check if you have a running process with this name: '.bugtraq'

 

[quote:40d73625d2][i:40d73625d2]Originally posted by bert[/i:40d73625d2]

I already did it, you probably missed my earlier post. I did not find anything on any machine.

Could you tell me though what is the ServerTokens ProductOnly entry for?

I am rebuilding apache as I write this.

Thanks again [/quote:40d73625d2]
If you haven't bugtraq file or in your process your systems are clear, it was an attempt by Slapper without any success.

OK., Slapper uses Apache and OpenSSL versions via HTTP headers, by putting ServerTokens in your httpd.conf it will ignore your system

 

[quote:6feb79c9bb][i:6feb79c9bb]Originally posted by bert[/i:6feb79c9bb]

Thanks for all your help!

Still, should I just live with apache crashing in these two machines without paying much attention?[/quote:6feb79c9bb]
After upgrading buildapache.sea, try /scripts/upcp and then reboot your server

 

For the Others who may read this thread:

If you have security updates enabled in WHM you shouldn't have to worry about this.

read this thread for more information (I discussed there):

http://forums.cpanel.net/read.php?TID=4602

 

For the Others who may read this thread:

If you have security updates enabled in WHM you shouldn't have to worry about this.

read this thread for more information (I discussed there):

http://forums.cpanel.net/read.php?TID=4602