[unisog] Re: OpenSSL worm in the wild

Lois Lehman LOIS.LEHMAN at asu.edu
Wed Sep 18 19:41:25 GMT 2002


Sorry to jump into this discussion at this late date, but I just visited my
first box compromised with this worm.  Is it possible to clean up this
compromise without clean the hard drive and reinstalling?

Thanks!

Lois Lehman, GSEC
Physical Sciences Computer Support
Dean's Office
College of Liberal Arts & Sciences
Arizona State University
480-965-3139



-----Original Message-----
From: Phil.Rodrigues at uconn.edu [mailto:Phil.Rodrigues at uconn.edu]
Sent: Monday, September 16, 2002 3:42 PM
To: unisog at sans.org
Subject: Re: [unisog] Re: OpenSSL worm in the wild


Our first apache.slapper compromise and communication over port 2002 was 
on 2002-09-10 at 21:03 EDT.  I sent the list of the other 28 computers 
that were talking to it over 2002 to the CERT, Symantec, incidents.org, 
f-secure, NIPC, etc.

Does anyone have an earlier compromise than that, and some good audit logs 
to go along with it?  My hope is that someone has records that will help 
point this back to a smaller set of just the original infected hosts.  (I 
will happily share my list with anyone who may have some use for it.)

For fun here are the number of unique IPs per hour that were communicating 
with that server on port udp 2002 for 24 hours after it was infected.  The 
date is MM-DD-HH.  Note we messed up the pretty progression of numbers by 
securing it sometime during 09-11-09. ;-)

09-10-20      0
09-10-21     28
09-10-22     22
09-10-23      7
09-11-00     17
09-11-01    281
09-11-02    448
09-11-03    552
09-11-04    590
09-11-05    679
09-11-06    754
09-11-07    788
09-11-08    834
09-11-09    875
09-11-10    330
09-11-11    292
09-11-12    272
09-11-13    255
09-11-14    234
09-11-15    222
09-11-16    197
09-11-17    192
09-11-18    180
09-11-19    171
09-11-20    169

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================


More information about the unisog mailing list