A surge in Internet scanning activity in the past week could indicate a fresh wave of attacks on e-commerce servers, UK-based Web services company, Netcraft, has warned.
The firm has detected a surge in scans of port 443, used by Secure Sockets Layer (SSL), a technology designed for securely transmitting financial data such as e-commerce transactions. The surge began on July 15, the day before the public disclosure of a critical flaw in a server module called mod_ssl.
The last time Netcraft observed similar activity was in April, shortly before a wave of attacks on SSL servers that included the compromise of some major e-commerce sites. Attackers used a flaw in Microsoft's implementation of SSL to install malicious code known as Scob" or Download.ject on servers, which in turn implanted a Trojan horse on vulnerable PCs.
Attackers' jobs were made easier by the wide distribution of code exploiting the SSL flaw. As of July 9, more than 100 Web servers were still distributing Scob, according to enterprise security software maker Websense.
"SSL encrypts sensitive information for e-commerce transactions, and its presence can indicate a high-value target for crackers seeking to steal financial data," Netcraft's Rich Miller said.
The scanning activity may have been prompted by the discovery of a flaw in mod_ssl, which is widely used in Apache servers running OpenSSL to provide SSL and Transport Layer Security (TLS) protocol support, according to Netcraft.
According to the mod_ssl project, which disclosed the bug on July 16 along with a patch, the bug affects Apache 1.3.x and only affects servers running both mod_ssl and another module called mod_proxy. Under certain server configurations, a remote attacker could execute arbitrary code with the same privileges as the user running Apache.
The vendor has released a fix here, and Linux vendors including Gentoo and Debian have begun releasing versions of the fix customized for their distributions. Security organisations including US CERT and Secunia have released advisories on the issue.
SSL servers are often not kept up-to-date with security patches, according to Netcraft.
In a survey last year, the firm found that many servers appeared to be running older, vulnerable installations of OpenSSL.
While the information disclosed to the Internet by servers could be suspect, Netcraft said that it was likely that many of the sites shown as running earlier, vulnerable versions of OpenSSL really were unpatched.