I don't think you'll see anything in the logs, as the exploit is actually in the SSL negotiation phase, before the time that anything would make an http request. Since apache doesn't log just connection attempts, you won't see it. If you turned on some debugging somewhere, you might see traces of it. It's possible that something like snort would not be able to see it either, because the exploit may take place after a secure session is set up. I'm not sure at what point of the ssl negotiation that the exploit actually takes place. Michael D. Cassano wrote: >I second that, none of my machines had any trace in the logs, must be more >hype than propogation. > > >----- Original Message ----- >From: "David Dyer-Bennet" <dd-b at dd-b.net> >To: <tclug-list at mn-linux.org> >Sent: Monday, September 16, 2002 10:11 PM >Subject: Re: [TCLUG] New Internet 'worm' on the loose > > > > >>Still haven't seen any scans from it in my logs, though. Worries me, >>I always wonder if I'm looking for the right thing, but the CERT >>advisory seemed clear enough. >> >>(I seem to have fallen off this list for a while, and finally found >>that I needed to change something on a web page to get back on, >>sending email doesn't seem to be possible. Sigh.) >>-- >>David Dyer-Bennet, dd-b at dd-b.net / http://www.dd-b.net/dd-b/ >> John Dyer-Bennet 1915-2002 Memorial Site http://john.dyer-bennet.net >> Dragaera mailing lists, see http://dragaera.info >>_______________________________________________ >>Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, >> >> >Minnesota > > >>http://www.mn-linux.org >>tclug-list at mn-linux.org >>https://mailman.mn-linux.org/mailman/listinfo/tclug-list >> >> >> > >_______________________________________________ >Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota >http://www.mn-linux.org >tclug-list at mn-linux.org >https://mailman.mn-linux.org/mailman/listinfo/tclug-list > >