A surge in Internet scanning activity in the past week could indicate a fresh wave of attacks on e-commerce servers, UK-based Web services company Netcraft warned today.
The firm has detected a surge in scans of port 443, used by Secure Sockets Layer (SSL), a technology designed for securely transmitting financial data such as e-commerce transactions. The surge began on 15 July, the day before the public disclosure of a critical flaw in a server module called mod_ssl.
The last time Netcraft observed similar activity was in April, shortly before a wave of attacks on SSL servers that included the compromise of some major e-commerce sites. Attackers used a flaw in Microsoft's implementation of SSL to install malicious code known as "Scob" or "Download.ject" on servers, which in turn implanted a Trojan horse on vulnerable PCs.
Attackers' jobs were made easier by the wide distribution of code exploiting the SSL flaw. As of 9 July, more than 100 Web servers were still distributing Scob, according to enterprise security software maker Websense.
"SSL encrypts sensitive information for e-commerce transactions, and its presence can indicate a high-value target for crackers seeking to steal financial data," said Netcraft's Rich Miller in the firm's report.
The scanning activity may have been prompted by the discovery of a flaw in mod_ssl, which is widely used in Apache servers running OpenSSL to provide SSL and Transport Layer Security (TLS) protocol support, according to Netcraft.
According to the mod_ssl project, which disclosed the bug on 16 July along with a patch, the bug affects Apache 1.3.x and only affects servers running both mod_ssl and another module called mod_proxy. Under certain server configurations, a remote attacker could execute arbitrary code with the same privileges as the user running Apache.
The vendor has released a fix here, and Linux vendors including Gentoo and Debian have begun releasing versions of the fix customised for their distributions. Security organisations including US CERT and Secunia have released advisories on the issue.
SSL servers are often not kept up-to-date with security patches, according to Netcraft. In a survey last autumn the firm found that many servers appeared to be running older, vulnerable installations of OpenSSL. While the information disclosed to the Internet by servers can be suspect, Netcraft said that "it is likely that many of the sites shown as running earlier, vulnerable versions of OpenSSL really are unpatched".