Dave Ahmad <da@securityfocus.com> writes: > The incident analysis team over here is examining this thing. At first > glance it looks reasonably sophisticated. Looks to me like it exploits > the issue described as BID 5363, http://online.securityfocus.com/bid/5363. > It seems to pick targets based on the "Server:" HTTP response field. > Mario Van Velzen proposed a quick workaround of disabling ServerTokens or > setting it to ProductOnly to turn away at least this version of the exploit > until fixes can be applied. Since this workaround requires changing the configuration file, it's equally easy to disable SSLv2 entirely--especially since one could easily modify the worm to attack all servers or, perhaps, those which only display Product ID :) -Ekr -- [Eric Rescorla ekr@rtfm.com] http://www.rtfm.com/
