Hello!

On Mon, Apr 14, 2014 at 03:03:54PM -0400, itpp2012 wrote:

> Fyi. if you are running a ssl tunnel like stunnel with openssl 0.9.x, this
> attack is logged as "SSL3_GET_RECORD:wrong version number" as opposed to no
> nginx/openssl logging.
>
> If you have logging going back 2 years and you are seeing these log entries
> now, you may be able to detect attacks from before 7-4-2014.
>
> Here we have many stunnels with openssl 0.9.x and found the first attacks
> at: 2014.04.08 22:19:14 (CET) in more then 2 years of logging.

I suspect that this is just a particular script to exploit the
vulnerability, which doesn't care much about being correct and
is seen this way due to incorrect handshake. Proper exploitation
shouldn't be detectable this way.

And yes, it's seen on more or less any 0.9.x OpenSSL
installation, including nginx:

2014/04/15 04:02:57 [info] 48738#0: *2785200 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number) while SSL handshaking, client: 182.118.48.115, server: 0.0.0.0:443

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx