Inktomi Corporation Information for VU#102795
OpenSSL servers contain a buffer overflow during the SSL2 handshake process
As noted in the advisory, server log messages such as
GET /mod_ssl:error:HTTP-request HTTP/1.0
do not necessarily indicate access by a compromised system. Any HTTP request to a port expecting to serve HTTPS requests will generate this log message. The Inktomi web crawler follows URL links published on public web pages and is sometimes incorrectly directed to https servers. The crawler does not use Apache nor mod_ssl (nor any kind of SSL), so it is not subject to the compromise described in this advisory. But crawler requests can match two of the listed symptoms of the Apache/mod_ssl worm:
Probing -- Scanning on 80/tcp
Propagation -- Connections to 443/tcp
The crawler does not use port 2002 nor UDP. Port 80 access or HTTPS handshake errors from an Inktomi web crawler do not represent an attack on your web server.
Inktomi crawler systems have hostnames of the form
The IP addresses of Inktomi crawler hosts will reverse-DNS resolve to a name of this form.
The vendor has not provided us with any further information regarding this vulnerability.
The advisory mentioned in the statement above refers to CERTŪ Advisory CA-2002-27 Apache/mod_ssl Worm. It had initially misidentified early reports of log entries containing "GET /mod_ssl:error:HTTP-request HTTP/1.0" as potential signs of infection with the Apache/mod_ssk "Slapper" Worm.
If you have feedback, comments, or additional information about this vulnerability, please send us email.