[unisog] Re: OpenSSL worm in the wild

E. Larry Lidz ellidz at eridu.uchicago.edu
Mon Sep 16 20:23:42 GMT 2002

Jordan K Wiens writes:
>From our experience here, that appears to be an actual hacker compromise
>rather than the sll worm.  The ssl worm makes no mention of httpd, and
>unless it was used for extra command execution after compromise, it doesn't
>come with any priveledge escalation code--we ~have~ seen this exploited by
>a hacker with code in /tmp/ for httpd as you describe.  It appears that
>they've been actively exploiting this for about a week now, slightly before
>the worm.

Yeah, it's odd. We did verify that the httpd program did attach the
machine to the DDoS network on port 2002. It started at about 22:19
CDT on the 11th, a good 13 hours after the machine was originally
compromised and the httpd program was installed. It was only talking to
one machine until 2002-09-12 17:00 CDT.

I suppose it is possible that we had some sort of prototype. 


E. Larry Lidz                                        Phone: +1 773 702-2208
Sr. Network Security Officer                         Fax:   +1 773 834-8444
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

More information about the unisog mailing list