[unisog] Re: OpenSSL worm in the wild

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Sep 18 20:37:47 GMT 2002

On Wed, 18 Sep 2002 12:41:25 PDT, Lois Lehman <LOIS.LEHMAN at asu.edu>  said:

> Sorry to jump into this discussion at this late date, but I just visited my
> first box compromised with this worm.  Is it possible to clean up this
> compromise without clean the hard drive and reinstalling?

Well.. the answer is a very unqualified "it depends", and a large part of
it is how prepared you were beforehand for the possibility.

Cleaning up the actual worm should be relatively trivial, given that we
have already captured the source and have a good understanding of how it works.

What is *NOT* trivial is deciding whether anything *else* was done to
the system - did anything malicious get send in via port 2002 after it
was whacked by the worm?  If you have known good Tripwire baselines,
tools to check for LKM rootkits, and an IDS that would have told you if
anything arrived at port 2002, and they all come up clean, you're probably
OK (unless you've been whacked by a Uberhacker that managed to cover his
tracks from all 3).  If you don't have those in place, you better start
looking for the backup tapes, just in case....

Factor in that there *have* been scattered reports of sites being hacked
by a non-worm exploit - there is a *good* probability that there are any
number of black-hats out there watching *their* logs for probes from the
apache.slapper worm, and then going and hacking into the source machine
and leaving a backdoor before the SSL gets patched.  Actually, you could
probably automate this - seeing a probe from the worm causes a robo-rooter
to get launched, to install a backdoor for later use once the fuss dies down.

This is the exact same problem as cleaning up after CodeRed or one of its
brethren - cleaning up the worm was easy, figuring out what ELSE got done
to you while your machine was actively advertising a backdoor was the challenge..

(And yes, I *know* that people *SHOULD* re-install if there's been any
compromise at all.  But let's be realistic here - if a VP in your organization
is telling you the server has to be back online *right now* so that payroll
can run and people get paychecks, some corners will probably get cut....)
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20020918/53493775/attachment-0007.bin

More information about the unisog mailing list