SANS ISC: Port 1080, 3127 and 3128; Apache-SSL Optional Client Certificate Vulnerability - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Port 1080, 3127 and 3128

There has been an increase of attempts directed at port 1080, 3127 and 3128 for the past few days. At this point of time, no firm conclusion can be made on these activities.


F-Secure reported a new worm (Vesser) that might be responsible for these activities. This worm spreads through the backdoor of Mydoom and SoulSeek P2P program. As reported, it will remove Mydoom backdoor on infected machines. It contains an IRC-based backdoor and HTTP proxy:

http://www.f-secure.com/v-descs/vesser.shtml


Symantec's W32.HLLW.Deadhat writeup:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.deadhat.html
NAI also calls it Deadhat:

http://vil.nai.com/vil/content/v_101000.htm

Let us know if you have further details on this worm.


Apache-SSL optional client certificate vulnerability

A vulnerability is reported in Apache-SSL optional client certificate configuration. If configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate.

The vendor has issued a fixed version of Apache-SSL (1.3.29+1.53):

http://www.apache-ssl.org/advisory-20040206.txt