OpenSSL worm in the wild

Peter Van Epp vanepp at sfu.ca
Fri Sep 13 20:22:13 GMT 2002


	Just found our first machine that was hit at 4 this morning. Looks 
like a fast spreading worm because it has found lots of other people to chat
with on  UDP port 2002 in between doing port scans of port 80 (as usual,
argus to the rescue :-) ...) I expect a perl script to check for this is 
in order as well (although, again as usual the mark one eyeball does a fine
job too):

13 Sep 02 04:03:58    tcp  217.153.81.210.49378  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:03:58    tcp  217.153.81.210.49381  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:03:58    tcp  217.153.81.210.49383  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:03:59    tcp  217.153.81.210.49384  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:03:59    tcp  217.153.81.210.49385  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:03:59    tcp  217.153.81.210.49386  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:00    tcp  217.153.81.210.49387  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:00    tcp  217.153.81.210.49390  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:03    tcp  217.153.81.210.49392  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:04    tcp  217.153.81.210.49393  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:04    tcp  217.153.81.210.49394  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:05:05    udp  192.217.228.39.2002  <->     aaa.bb.ccc.dd.2002  1        1         102          60          ACC
13 Sep 02 04:04:04    tcp  217.153.81.210.49531  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:05:05    udp  192.217.228.39.2002  <->     aaa.bb.ccc.dd.2002  1        1         60           70          ACC
13 Sep 02 04:05:05    udp   aaa.bb.ccc.dd.2002  <->   141.211.107.134.2002  1        1         102          60          ACC
13 Sep 02 04:04:05    tcp  217.153.81.210.49550  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:05    tcp  217.153.81.210.49553  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:05:06    udp   aaa.bb.ccc.dd.2002  <->      65.126.190.2.2002  1        1         102          60          ACC
13 Sep 02 04:05:06    udp   aaa.bb.ccc.dd.2002  <->    208.254.142.45.2002  1        1         102          60          ACC
13 Sep 02 04:05:07    udp   aaa.bb.ccc.dd.2002   ->    209.41.200.120.2002  1        0         83           0           INT
13 Sep 02 04:04:05    tcp  217.153.81.210.49554  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:05:06    udp   aaa.bb.ccc.dd.2002  <->     66.134.87.107.2002  1        1         83           60          ACC
13 Sep 02 04:05:06    udp   aaa.bb.ccc.dd.2002  <->   211.239.150.170.2002  1        1         83           60          ACC
13 Sep 02 04:05:06    udp   aaa.bb.ccc.dd.2002   ->      24.91.41.104.2002  1        0         83           0           INT
13 Sep 02 04:04:06    tcp  217.153.81.210.49555  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:06    tcp  217.153.81.210.49556  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:06    tcp  217.153.81.210.49557  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:07    tcp  217.153.81.210.49558  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:07    tcp  217.153.81.210.49559  ->     aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:08    tcp  217.153.81.210.49565  ->     aaa.bb.ccc.dd.443   7        7         760          1726        EST
13 Sep 02 04:05:09    udp   aaa.bb.ccc.dd.2002  <->      160.36.28.79.2002  1        1         102          60          ACC
13 Sep 02 04:05:09    udp   aaa.bb.ccc.dd.2002   ->    140.116.246.90.2002  1        0         83           0           INT
13 Sep 02 04:05:09    udp   aaa.bb.ccc.dd.2002   ->      62.99.176.58.2002  1        0         83           0           INT
13 Sep 02 04:05:09    udp   aaa.bb.ccc.dd.2002  <->    211.239.151.38.2002  1        1         83           60          ACC
13 Sep 02 04:04:08    tcp  217.153.81.210.49566  ->     aaa.bb.ccc.dd.443   254      609       114583       145850      EST
13 Sep 02 04:05:07    udp   aaa.bb.ccc.dd.2002   ->     202.9.144.251.2002  1        0         83           0           INT
13 Sep 02 04:05:09    udp   aaa.bb.ccc.dd.2002  <->      193.79.99.16.2002  1        1         83           60          ACC
... (lots and lots more until urp something ate the network connection ...)

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


	From this morning on Bugtraq:

> From: Dave Ahmad <da at securityfocus.com>
> 
> Ok,
> 
> The incident analysis team over here is examining this thing.  At first
> glance it looks reasonably sophisticated.  Looks to me like it exploits
> the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
> It seems to pick targets based on the "Server:" HTTP response field.
> Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
> setting it to ProductOnly to turn away at least this version of the exploit
> until fixes can be applied.  Another thing to note is that it communicates
> with its friends over UDP / port 2002.
> 
> I'd like to request IP addresses of hosts that have been compromised or
> that are currently attacking systems from anyone who is comfortable
> sharing this information.  We wish to run it through TMS (formerly
> known as ARIS) to see how quickly it is propagating.
> 
> David Ahmad
> Symantec
> http://www.symantec.com/
> 



More information about the unisog mailing list