The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL Problems

Discussion in 'General Discussion' started by bert, Sep 22, 2002.

  1. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    Apache is going down on two of our servers every few hours, it does not restart on its own, so chkservd restarts it, the error log is showing these errors:

    [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
    [warn] pid file /usr/local/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
    [crit] (98)Address already in use: make_sock: could not bind to port 443

    Could this be related to the new OpenSSL worm? Any thoughts?
     
  2. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:c7b35f2dc9][i:c7b35f2dc9]Originally posted by bert[/i:c7b35f2dc9]

    Apache is going down on two of our servers every few hours, it does not restart on its own, so chkservd restarts it, the error log is showing these errors:

    [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
    [warn] pid file /usr/local/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
    [crit] (98)Address already in use: make_sock: could not bind to port 443

    Could this be related to the new OpenSSL worm? Any thoughts?
    [/quote:c7b35f2dc9]
    What is your Red Hat version?
    Also what is your OpenSSL release?
    try this
    rpm -qa openssl*
     
  3. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    Running RedHat 7.2 - 2.4.18
    openssl095a-0.9.5a-18
    openssl-devel-0.9.6b-28
    openssl-0.9.6b-28

    The same apply to both servers.
     
  4. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Search your log files Do you have some like these tracks:

    [13/Sep/2002 21:22:03 17376] [error] SSL handshake failed (server
    host.domain.com:443, client xxx.xxx.xxx.xxx) (OpenSSL library error
    follows)
    [13/Sep/2002 21:22:03 17376] [error] OpenSSL: error:1406B458:SSL
    routines:GET_CLIENT_MASTER_KEY:key arg too long
     
  5. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    Yes!

    [Sun Sep 22 09:38:10 2002] [error] mod_ssl: SSL handshake failed (server server18.pronicsolutions.com:443, client 62.31.248.32) (OpenSSL library error follows)
    [Sun Sep 22 09:38:10 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long

    On both servers.
     
  6. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:bfe54dee58][i:bfe54dee58]Originally posted by bert[/i:bfe54dee58]

    Yes!

    [Sun Sep 22 09:38:10 2002] [error] mod_ssl: SSL handshake failed (server server18.pronicsolutions.com:443, client 62.31.248.32) (OpenSSL library error follows)
    [Sun Sep 22 09:38:10 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long

    On both servers.[/quote:bfe54dee58]
    Unfortunately these are tracks of Slapper worm virus, but don't worry I'll help you.

    It uses buffer overflow for DoS attack.

    But did your apache fail after those tracks of errors?
     
  7. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    Yes, apache fails on these two boxes after that, it is not restarted own its own, but with the help of chkservd.

    Our servers are behind a firewall though, even if we get the worm, the worm will not be able to attach other machines, however this is very annoying because it kills apache every few minutes/hours.

    Do you have a suggestion to block these?
     
  8. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    First if you have other boxes
    pico /etc/httpd/conf/httpd.conf

    And put this line in it

    ServerTokens ProductOnly

    Restart Apache,

    These two servers were using the latest patched builds by Red Hat but they infected, may be a newer version of that worm or weakness in patches first we have to find this,

    Did you install latest buildapache.sea?
     
  9. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    Hmmm. You mean they are infected? Any tips on removing the worm?

    I run buildapache about a week ago when the worm first came out, it is the one before the latest I believe.
     
  10. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:a61351e0b6][i:a61351e0b6]Originally posted by bert[/i:a61351e0b6]

    Hmmm. You mean they are infected? Any tips on removing the worm?

    I run buildapache about a week ago when the worm first came out, it is the one before the latest I believe.[/quote:a61351e0b6]

    May be, but if you want to make sure, install the latest buildapache.sea, then re-install your current openssl RPM packages from Red Hat, reboot your system and wait for an Apache server down then let me know that error.
     
  11. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    You mean re-install the existing RPM packages after recompiling Apache?
     
  12. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    I searched the machines for bugtraq and could not find anything. I will in the mean time start recompiling apache on them.

    By the way, what is the directive you asked me to put in httpd.conf for?

    Thanks!!!
     
  13. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Bert,

    in a Root SSH session use this command:

    find /tmp -name '.bug*'

    and let me know if you have these files

    If you haven't these file you are not infected.

    /tmp/.uubugtraq
    /tmp/.bugtraq.c
    /tmp/.bugtraq


    Also check if you have a running process with this name: '.bugtraq'
     
  14. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    I already did it, you probably missed my earlier post. I did not find anything on any machine.

    Could you tell me though what is the ServerTokens ProductOnly entry for?

    I am rebuilding apache as I write this.

    Thanks again :)
     
  15. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:40d73625d2][i:40d73625d2]Originally posted by bert[/i:40d73625d2]

    I already did it, you probably missed my earlier post. I did not find anything on any machine.

    Could you tell me though what is the ServerTokens ProductOnly entry for?

    I am rebuilding apache as I write this.

    Thanks again :)[/quote:40d73625d2]
    If you haven't bugtraq file or in your process your systems are clear, it was an attempt by Slapper without any success. :)

    OK., Slapper uses Apache and OpenSSL versions via HTTP headers, by putting ServerTokens in your httpd.conf it will ignore your system
     
  16. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for all your help!

    Still, should I just live with apache crashing in these two machines without paying much attention?
     
  17. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:6feb79c9bb][i:6feb79c9bb]Originally posted by bert[/i:6feb79c9bb]

    Thanks for all your help!

    Still, should I just live with apache crashing in these two machines without paying much attention?[/quote:6feb79c9bb]
    After upgrading buildapache.sea, try /scripts/upcp and then reboot your server
     
  18. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    I will certainly do that.

    Thanks again for all the help :)
     
  19. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    For the Others who may read this thread:

    If you have security updates enabled in WHM you shouldn't have to worry about this.

    read this thread for more information (I discussed there):

    http://forums.cpanel.net/read.php?TID=4602
     
  20. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    For the Others who may read this thread:

    If you have security updates enabled in WHM you shouldn't have to worry about this.

    read this thread for more information (I discussed there):

    http://forums.cpanel.net/read.php?TID=4602
     
Loading...

Share This Page