OpenSSL Problems

[bert]

Apache is going down on two of our servers every few hours, it does not restart on its own, so chkservd restarts it, the error log is showing these errors:

[error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
[warn] pid file /usr/local/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[crit] (98)Address already in use: make_sock: could not bind to port 443

Could this be related to the new OpenSSL worm? Any thoughts?

 

[itf]

[quote:c7b35f2dc9][i:c7b35f2dc9]Originally posted by bert[/i:c7b35f2dc9]

Apache is going down on two of our servers every few hours, it does not restart on its own, so chkservd restarts it, the error log is showing these errors:

[error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
[warn] pid file /usr/local/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[crit] (98)Address already in use: make_sock: could not bind to port 443

Could this be related to the new OpenSSL worm? Any thoughts?
[/quote:c7b35f2dc9]
What is your Red Hat version?
Also what is your OpenSSL release?
try this
rpm -qa openssl*

 

[bert]

Running RedHat 7.2 - 2.4.18
openssl095a-0.9.5a-18
openssl-devel-0.9.6b-28
openssl-0.9.6b-28

The same apply to both servers.

 

[itf]

Search your log files Do you have some like these tracks:

[13/Sep/2002 21:22:03 17376] [error] SSL handshake failed (server
host.domain.com:443, client xxx.xxx.xxx.xxx) (OpenSSL library error
follows)
[13/Sep/2002 21:22:03 17376] [error] OpenSSL: error:1406B458:SSL
routines:GET_CLIENT_MASTER_KEY:key arg too long

 

[bert]

Yes!

[Sun Sep 22 09:38:10 2002] [error] mod_ssl: SSL handshake failed (server server18.pronicsolutions.com:443, client 62.31.248.32) (OpenSSL library error follows)
[Sun Sep 22 09:38:10 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long

On both servers.

 

[itf]

[quote:bfe54dee58][i:bfe54dee58]Originally posted by bert[/i:bfe54dee58]

Yes!

[Sun Sep 22 09:38:10 2002] [error] mod_ssl: SSL handshake failed (server server18.pronicsolutions.com:443, client 62.31.248.32) (OpenSSL library error follows)
[Sun Sep 22 09:38:10 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long

On both servers.[/quote:bfe54dee58]
Unfortunately these are tracks of Slapper worm virus, but don't worry I'll help you.

It uses buffer overflow for DoS attack.

But did your apache fail after those tracks of errors?

 

[bert]

Yes, apache fails on these two boxes after that, it is not restarted own its own, but with the help of chkservd.

Our servers are behind a firewall though, even if we get the worm, the worm will not be able to attach other machines, however this is very annoying because it kills apache every few minutes/hours.

Do you have a suggestion to block these?

 

[itf]

First if you have other boxes
pico /etc/httpd/conf/httpd.conf

And put this line in it

ServerTokens ProductOnly

Restart Apache,

These two servers were using the latest patched builds by Red Hat but they infected, may be a newer version of that worm or weakness in patches first we have to find this,

Did you install latest buildapache.sea?

 

[bert]

Hmmm. You mean they are infected? Any tips on removing the worm?

I run buildapache about a week ago when the worm first came out, it is the one before the latest I believe.

 

[itf]

[quote:a61351e0b6][i:a61351e0b6]Originally posted by bert[/i:a61351e0b6]

Hmmm. You mean they are infected? Any tips on removing the worm?

I run buildapache about a week ago when the worm first came out, it is the one before the latest I believe.[/quote:a61351e0b6]

May be, but if you want to make sure, install the latest buildapache.sea, then re-install your current openssl RPM packages from Red Hat, reboot your system and wait for an Apache server down then let me know that error.

 

[bert]

You mean re-install the existing RPM packages after recompiling Apache?

 

[bert]

I searched the machines for bugtraq and could not find anything. I will in the mean time start recompiling apache on them.

By the way, what is the directive you asked me to put in httpd.conf for?

Thanks!!!

 

[itf]

Bert,

in a Root SSH session use this command:

find /tmp -name '.bug*'

and let me know if you have these files

If you haven't these file you are not infected.

/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/.bugtraq


Also check if you have a running process with this name: '.bugtraq'

 

[bert]

I already did it, you probably missed my earlier post. I did not find anything on any machine.

Could you tell me though what is the ServerTokens ProductOnly entry for?

I am rebuilding apache as I write this.

Thanks again

 

[itf]

[quote:40d73625d2][i:40d73625d2]Originally posted by bert[/i:40d73625d2]

I already did it, you probably missed my earlier post. I did not find anything on any machine.

Could you tell me though what is the ServerTokens ProductOnly entry for?

I am rebuilding apache as I write this.

Thanks again [/quote:40d73625d2]
If you haven't bugtraq file or in your process your systems are clear, it was an attempt by Slapper without any success.

OK., Slapper uses Apache and OpenSSL versions via HTTP headers, by putting ServerTokens in your httpd.conf it will ignore your system

 

[bert]

Thanks for all your help!

Still, should I just live with apache crashing in these two machines without paying much attention?

 

[itf]

[quote:6feb79c9bb][i:6feb79c9bb]Originally posted by bert[/i:6feb79c9bb]

Thanks for all your help!

Still, should I just live with apache crashing in these two machines without paying much attention?[/quote:6feb79c9bb]
After upgrading buildapache.sea, try /scripts/upcp and then reboot your server

 

[bert]

I will certainly do that.

Thanks again for all the help

 

[itf]

For the Others who may read this thread:

If you have security updates enabled in WHM you shouldn't have to worry about this.

read this thread for more information (I discussed there):

http://forums.cpanel.net/read.php?TID=4602

 

[itf]

For the Others who may read this thread:

If you have security updates enabled in WHM you shouldn't have to worry about this.

read this thread for more information (I discussed there):

http://forums.cpanel.net/read.php?TID=4602