[unisog] Re: OpenSSL worm in the wild

Jordan K Wiens jwiens at nersp.nerdc.ufl.edu
Mon Sep 16 21:41:37 GMT 2002

Quite possibly; makes me wish I had asked our admin here to take a system
image of the system so I could look at it.  Oh well, hindsight's 20/20.

Jordan Wiens
UF Network Incident Response Team

On Mon, 16 Sep 2002, E. Larry Lidz wrote:

> Jordan K Wiens writes:
> >From our experience here, that appears to be an actual hacker compromise
> >rather than the sll worm.  The ssl worm makes no mention of httpd, and
> >unless it was used for extra command execution after compromise, it doesn't
> >come with any priveledge escalation code--we ~have~ seen this exploited by
> >a hacker with code in /tmp/ for httpd as you describe.  It appears that
> >they've been actively exploiting this for about a week now, slightly before
> >the worm.
> Yeah, it's odd. We did verify that the httpd program did attach the
> machine to the DDoS network on port 2002. It started at about 22:19
> CDT on the 11th, a good 13 hours after the machine was originally
> compromised and the httpd program was installed. It was only talking to
> one machine until 2002-09-12 17:00 CDT.
> I suppose it is possible that we had some sort of prototype.
> *sigh*,
> -Larry
> ---
> E. Larry Lidz                                        Phone: +1 773 702-2208
> Sr. Network Security Officer                         Fax:   +1 773 834-8444
> Network Security Center, The University of Chicago
> PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

More information about the unisog mailing list