[unisog] Re: OpenSSL worm in the wild

Lois Lehman LOIS.LEHMAN at asu.edu
Wed Sep 18 23:54:22 GMT 2002

Thanks, all.  You confirmed what I thought was the recommended procedure for
cleaning up after this worm, or any worm for that matter.  It helps to have
this confirmation from others when approaching a researcher with the news
that a reinstall is necessary.

Lois Lehman, GSEC
Physical Sciences Computer Support
Dean's Office
College of Liberal Arts & Sciences
Arizona State University

-----Original Message-----
From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu]
Sent: Wednesday, September 18, 2002 1:38 PM
To: Lois Lehman
Cc: 'unisog at sans.org'
Subject: Re: [unisog] Re: OpenSSL worm in the wild

On Wed, 18 Sep 2002 12:41:25 PDT, Lois Lehman <LOIS.LEHMAN at asu.edu>  said:

> Sorry to jump into this discussion at this late date, but I just visited
> first box compromised with this worm.  Is it possible to clean up this
> compromise without clean the hard drive and reinstalling?

Well.. the answer is a very unqualified "it depends", and a large part of
it is how prepared you were beforehand for the possibility.

Cleaning up the actual worm should be relatively trivial, given that we
have already captured the source and have a good understanding of how it

What is *NOT* trivial is deciding whether anything *else* was done to
the system - did anything malicious get send in via port 2002 after it
was whacked by the worm?  If you have known good Tripwire baselines,
tools to check for LKM rootkits, and an IDS that would have told you if
anything arrived at port 2002, and they all come up clean, you're probably
OK (unless you've been whacked by a Uberhacker that managed to cover his
tracks from all 3).  If you don't have those in place, you better start
looking for the backup tapes, just in case....

Factor in that there *have* been scattered reports of sites being hacked
by a non-worm exploit - there is a *good* probability that there are any
number of black-hats out there watching *their* logs for probes from the
apache.slapper worm, and then going and hacking into the source machine
and leaving a backdoor before the SSL gets patched.  Actually, you could
probably automate this - seeing a probe from the worm causes a robo-rooter
to get launched, to install a backdoor for later use once the fuss dies

This is the exact same problem as cleaning up after CodeRed or one of its
brethren - cleaning up the worm was easy, figuring out what ELSE got done
to you while your machine was actively advertising a backdoor was the

(And yes, I *know* that people *SHOULD* re-install if there's been any
compromise at all.  But let's be realistic here - if a VP in your
is telling you the server has to be back online *right now* so that payroll
can run and people get paychecks, some corners will probably get cut....)
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

More information about the unisog mailing list