Inktomi Corporation Information for VU#102795

OpenSSL servers contain a buffer overflow during the SSL2 handshake process

Status

Not Affected

Vendor Statement

As noted in the advisory, server log messages such as

GET /mod_ssl:error:HTTP-request HTTP/1.0

do not necessarily indicate access by a compromised system. Any HTTP request to a port expecting to serve HTTPS requests will generate this log message.  The Inktomi web crawler follows URL links published on public web pages and is sometimes incorrectly directed to https servers.  The crawler does not use Apache nor mod_ssl (nor any kind of SSL), so it is not subject to the compromise described in this advisory. But crawler requests can match two of the listed symptoms of the Apache/mod_ssl worm:

                      Probing -- Scanning on 80/tcp
                     Propagation -- Connections to 443/tcp

The crawler does not use port 2002 nor UDP.  Port 80 access or HTTPS handshake errors from an Inktomi web crawler do not represent an attack on your web server.

Inktomi crawler systems have hostnames of the form

    j[1-9][0-9][0-9][0-9].inktomisearch.com
   si[1-9][0-9][0-9][0-9].inktomisearch.com


The IP addresses of Inktomi crawler hosts will reverse-DNS resolve to a name of this form.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The advisory mentioned in the statement above refers to CERTŪ Advisory CA-2002-27 Apache/mod_ssl Worm. It had initially misidentified early reports of log entries containing "GET /mod_ssl:error:HTTP-request HTTP/1.0" as potential signs of infection with the Apache/mod_ssk "Slapper" Worm.

If you have feedback, comments, or additional information about this vulnerability, please send us email.