[unisog] Re: OpenSSL worm in the wild

Peter Van Epp vanepp at sfu.ca
Mon Sep 16 23:24:31 GMT 2002


> 
> Our first apache.slapper compromise and communication over port 2002 was 
> on 2002-09-10 at 21:03 EDT.  I sent the list of the other 28 computers 
> that were talking to it over 2002 to the CERT, Symantec, incidents.org, 
> f-secure, NIPC, etc.
> 
<snip>
	As a measure of how well its spread, as of a few minutes ago (assuming
I didn't do something stupid in a quick perl script) 20,042 hosts have 
attempted to contact our compromised machine on UDP port 2002 since its 
compromise on Friday morning. I'll note there appear to be many of those 
connection attempts started long after the machine was removed from the net 
Friday afternoon. Below is a small excerpt (sorted by IP address). If (as 
appears evident) previous machine addresses to probe are being propigated 
still, I'd guess we are in for exciting times ...
	I ran a check back a few days in the argus logs, but as expected 
discovered the first and so far only one to be the one on Friday morning.

10.0.0.136      Start: Sat 09/14 00:14:25 End: Sat 09/14 00:14:25
10.40.41.207    Start: Fri 09/13 08:55:09 End: Sat 09/14 19:59:34
12.0.1.71       Start: Fri 09/13 23:10:27 End: Sun 09/15 12:59:04
12.10.122.20    Start: Sun 09/15 08:38:45 End: Sun 09/15 12:45:30
12.101.15.178   Start: Sat 09/14 19:53:36 End: Sun 09/15 13:46:49
12.101.175.74   Start: Sat 09/14 20:32:41 End: Sun 09/15 07:20:30
12.101.203.2    Start: Sat 09/14 04:02:38 End: Sun 09/15 01:06:02
12.101.204.66   Start: Sat 09/14 04:03:04 End: Sat 09/14 19:38:48
12.101.43.201   Start: Sat 09/14 03:14:07 End: Sat 09/14 06:38:42
12.102.116.82   Start: Sun 09/15 22:11:29 End: Mon 09/16 00:19:39
12.102.137.194  Start: Fri 09/13 16:10:23 End: Sun 09/15 15:50:39
12.102.174.100  Start: Sun 09/15 21:21:52 End: Sun 09/15 22:30:11
12.102.27.30    Start: Fri 09/13 15:41:37 End: Sun 09/15 22:23:24
12.103.194.195  Start: Sun 09/15 01:04:26 End: Sun 09/15 12:35:36
12.104.248.12   Start: Fri 09/13 13:50:22 End: Sat 09/14 07:32:51
12.107.1.44     Start: Sat 09/14 06:31:04 End: Sun 09/15 12:48:57
12.107.16.238   Start: Sat 09/14 06:20:53 End: Sat 09/14 06:20:53
12.107.51.119   Start: Sat 09/14 06:39:14 End: Sun 09/15 09:29:11
12.109.68.20    Start: Sat 09/14 09:15:30 End: Sun 09/15 12:51:39
12.110.15.215   Start: Sat 09/14 05:22:01 End: Sat 09/14 18:23:05
12.110.64.27    Start: Sat 09/14 05:43:51 End: Sun 09/15 13:11:56
12.110.68.15    Start: Sat 09/14 05:43:52 End: Sat 09/14 09:40:05
12.14.225.17    Start: Sat 09/14 09:03:30 End: Sat 09/14 09:03:30
12.14.237.36    Start: Sat 09/14 11:48:00 End: Sun 09/15 12:37:31
12.14.237.52    Start: Sat 09/14 11:43:53 End: Sun 09/15 04:54:07
12.14.248.18    Start: Sat 09/14 09:05:37 End: Sun 09/15 03:19:18
12.144.153.139  Start: Fri 09/13 06:30:06 End: Sun 09/15 18:49:15
12.144.154.55   Start: Fri 09/13 06:30:03 End: Fri 09/13 12:31:04
12.144.5.6      Start: Fri 09/13 14:41:07 End: Sun 09/15 17:25:16
12.146.140.67   Start: Sun 09/15 04:02:06 End: Sun 09/15 12:59:34
12.149.193.25   Start: Sat 09/14 21:48:23 End: Sun 09/15 12:39:42
12.15.88.1      Start: Sat 09/14 05:47:09 End: Mon 09/16 08:53:36
12.15.88.9      Start: Mon 09/16 08:20:15 End: Mon 09/16 11:17:32
12.152.238.61   Start: Fri 09/13 06:57:24 End: Fri 09/13 12:34:39
12.153.14.112   Start: Fri 09/13 16:56:39 End: Fri 09/13 16:56:39
12.154.202.12   Start: Fri 09/13 16:25:07 End: Sat 09/14 11:43:59
... (lots and lots more ...)

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list