[unisog] Re: OpenSSL worm in the wild

Jordan K Wiens jwiens at nersp.nerdc.ufl.edu
Mon Sep 16 14:31:36 GMT 2002


>From our experience here, that appears to be an actual hacker compromise
rather than the sll worm.  The ssl worm makes no mention of httpd, and
unless it was used for extra command execution after compromise, it doesn't
come with any priveledge escalation code--we ~have~ seen this exploited by
a hacker with code in /tmp/ for httpd as you describe.  It appears that
they've been actively exploiting this for about a week now, slightly before
the worm.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Fri, 13 Sep 2002, E. Larry Lidz wrote:

>
> Paul Dokas writes:
> >On Fri, 13 Sep 2002 13:22:13 -0700 (PDT), Peter Van Epp <vanepp at sfu.ca> wrote:
> >> 	Just found our first machine that was hit at 4 this morning. Looks
> >> like a fast spreading worm because it has found lots of other people to chat
> >> with on  UDP port 2002 in between doing port scans of port 80 (as usual,
> >> argus to the rescue :-) ...) I expect a perl script to check for this is
> >> in order as well (although, again as usual the mark one eyeball does a fine
> >> job too):
> >
> >
> >Yup.  It's definitely in the wild and running around.  This is my first one :-
> >
> >
> > Scanner:  A.B.C.D (XXX.YYY.umn.edu)        10613 hosts touched
> >        2002/09/13 20:48:51 ->2002/09/13 20:59:59
>
> We had a machine infected at 09:05 CDT (GMT-0500) on 2002-09-11. The
> binary was called "httpd" and was stored in /tmp. There was also a
> priviledge escalation exploit for linuxconf on the system, but the
> system was patched against it.
>
> -Larry
>
> ---
> E. Larry Lidz                                        Phone: +1 773 702-2208
> Sr. Network Security Officer                         Fax:   +1 773 834-8444
> Network Security Center, The University of Chicago
> PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
>



More information about the unisog mailing list