[unisog] Re: OpenSSL worm in the wild

John Stauffacher stauffacher at chapman.edu
Mon Sep 16 18:45:54 GMT 2002


We've had one so far: 

206.211.137.29

Thanks goes to f-secure for their timely warning that the box was hit...

++
John Stauffacher
Network Administrator
Chapman University
stauffacher at chapman.edu
714-628-7249

-----Original Message-----
From: Peter Van Epp [mailto:vanepp at sfu.ca] 
Sent: Friday, September 13, 2002 1:22 PM
To: unisog at sans.org; argus
Cc: da at securityfocus.com
Subject: [unisog] Re: OpenSSL worm in the wild

	Just found our first machine that was hit at 4 this morning.
Looks 
like a fast spreading worm because it has found lots of other people to
chat
with on  UDP port 2002 in between doing port scans of port 80 (as usual,
argus to the rescue :-) ...) I expect a perl script to check for this is

in order as well (although, again as usual the mark one eyeball does a
fine
job too):

13 Sep 02 04:03:58    tcp  217.153.81.210.49378  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:03:58    tcp  217.153.81.210.49381  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:03:58    tcp  217.153.81.210.49383  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:03:59    tcp  217.153.81.210.49384  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:03:59    tcp  217.153.81.210.49385  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:03:59    tcp  217.153.81.210.49386  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:00    tcp  217.153.81.210.49387  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:00    tcp  217.153.81.210.49390  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:03    tcp  217.153.81.210.49392  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:04    tcp  217.153.81.210.49393  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:04    tcp  217.153.81.210.49394  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:05:05    udp  192.217.228.39.2002  <->
aaa.bb.ccc.dd.2002  1        1         102          60          ACC
13 Sep 02 04:04:04    tcp  217.153.81.210.49531  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:05:05    udp  192.217.228.39.2002  <->
aaa.bb.ccc.dd.2002  1        1         60           70          ACC
13 Sep 02 04:05:05    udp   aaa.bb.ccc.dd.2002  <->
141.211.107.134.2002  1        1         102          60          ACC
13 Sep 02 04:04:05    tcp  217.153.81.210.49550  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:05    tcp  217.153.81.210.49553  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:05:06    udp   aaa.bb.ccc.dd.2002  <->
65.126.190.2.2002  1        1         102          60          ACC
13 Sep 02 04:05:06    udp   aaa.bb.ccc.dd.2002  <->
208.254.142.45.2002  1        1         102          60          ACC
13 Sep 02 04:05:07    udp   aaa.bb.ccc.dd.2002   ->
209.41.200.120.2002  1        0         83           0           INT
13 Sep 02 04:04:05    tcp  217.153.81.210.49554  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:05:06    udp   aaa.bb.ccc.dd.2002  <->
66.134.87.107.2002  1        1         83           60          ACC
13 Sep 02 04:05:06    udp   aaa.bb.ccc.dd.2002  <->
211.239.150.170.2002  1        1         83           60          ACC
13 Sep 02 04:05:06    udp   aaa.bb.ccc.dd.2002   ->
24.91.41.104.2002  1        0         83           0           INT
13 Sep 02 04:04:06    tcp  217.153.81.210.49555  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:06    tcp  217.153.81.210.49556  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:06    tcp  217.153.81.210.49557  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:07    tcp  217.153.81.210.49558  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:07    tcp  217.153.81.210.49559  ->
aaa.bb.ccc.dd.443   2        1         140          74          EST
13 Sep 02 04:04:08    tcp  217.153.81.210.49565  ->
aaa.bb.ccc.dd.443   7        7         760          1726        EST
13 Sep 02 04:05:09    udp   aaa.bb.ccc.dd.2002  <->
160.36.28.79.2002  1        1         102          60          ACC
13 Sep 02 04:05:09    udp   aaa.bb.ccc.dd.2002   ->
140.116.246.90.2002  1        0         83           0           INT
13 Sep 02 04:05:09    udp   aaa.bb.ccc.dd.2002   ->
62.99.176.58.2002  1        0         83           0           INT
13 Sep 02 04:05:09    udp   aaa.bb.ccc.dd.2002  <->
211.239.151.38.2002  1        1         83           60          ACC
13 Sep 02 04:04:08    tcp  217.153.81.210.49566  ->
aaa.bb.ccc.dd.443   254      609       114583       145850      EST
13 Sep 02 04:05:07    udp   aaa.bb.ccc.dd.2002   ->
202.9.144.251.2002  1        0         83           0           INT
13 Sep 02 04:05:09    udp   aaa.bb.ccc.dd.2002  <->
193.79.99.16.2002  1        1         83           60          ACC
... (lots and lots more until urp something ate the network connection
...)

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


	From this morning on Bugtraq:

> From: Dave Ahmad <da at securityfocus.com>
> 
> Ok,
> 
> The incident analysis team over here is examining this thing.  At
first
> glance it looks reasonably sophisticated.  Looks to me like it
exploits
> the issue described as BID 5363,
http://online.securityfocus.com/bid/5363.
> It seems to pick targets based on the "Server:" HTTP response field.
> Mario Van Velzen proposed a quick workaround of disabling ServerTokens
or
> setting it to ProductOnly to turn away at least this version of the
exploit
> until fixes can be applied.  Another thing to note is that it
communicates
> with its friends over UDP / port 2002.
> 
> I'd like to request IP addresses of hosts that have been compromised
or
> that are currently attacking systems from anyone who is comfortable
> sharing this information.  We wish to run it through TMS (formerly
> known as ARIS) to see how quickly it is propagating.
> 
> David Ahmad
> Symantec
> http://www.symantec.com/
> 



More information about the unisog mailing list