[unisog] Re: OpenSSL worm in the wild
Jordan K Wiens
jwiens at nersp.nerdc.ufl.edu
Mon Sep 16 21:41:37 GMT 2002
Quite possibly; makes me wish I had asked our admin here to take a system
image of the system so I could look at it. Oh well, hindsight's 20/20.
UF Network Incident Response Team
On Mon, 16 Sep 2002, E. Larry Lidz wrote:
> Jordan K Wiens writes:
> >From our experience here, that appears to be an actual hacker compromise
> >rather than the sll worm. The ssl worm makes no mention of httpd, and
> >unless it was used for extra command execution after compromise, it doesn't
> >come with any priveledge escalation code--we ~have~ seen this exploited by
> >a hacker with code in /tmp/ for httpd as you describe. It appears that
> >they've been actively exploiting this for about a week now, slightly before
> >the worm.
> Yeah, it's odd. We did verify that the httpd program did attach the
> machine to the DDoS network on port 2002. It started at about 22:19
> CDT on the 11th, a good 13 hours after the machine was originally
> compromised and the httpd program was installed. It was only talking to
> one machine until 2002-09-12 17:00 CDT.
> I suppose it is possible that we had some sort of prototype.
> E. Larry Lidz Phone: +1 773 702-2208
> Sr. Network Security Officer Fax: +1 773 834-8444
> Network Security Center, The University of Chicago
> PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
More information about the unisog