[unisog] Slapper.B remnants?

Peter Van Epp vanepp at sfu.ca
Wed Sep 25 14:55:20 GMT 2002

	We took a slapd-b hit yesterday morning (ironically the machine had
been patched when Martin put out the ssl patch on the local linux security 
list, but httpd wasn't restarted). They with Martin's help did clean (and
reboot) the machine and they look clean this morning. It I supress inbound
web accesses there is only a tasteful icmp URP at a braindead windows box
on port 139 and a couple of whois queries (probably looking for the attacker)
from the box all night. It looks like they have managed to clean up OK.
	The original hit looked like this:

Tue 09/24 01:22:28 d    tcp <->  142.58.xxx.yyy.443   271 
   336     27048     30772    EST
Tue 09/24 01:22:28 d    tcp <->  142.58.xxx.yyy.443   6   
   8       290       3436     EST
Tue 09/24 01:22:41      tcp  142.58.xxx.yyy.39418  |>    13  
   11      172       262      RST

	Then settled in to this (presumably polling the mother ship who
has been advised):

Tue 09/24 03:09:04      udp  142.58.xxx.yyy.4156   ->  76  
   0       2736      0        INT
Tue 09/24 03:24:12      udp  142.58.xxx.yyy.4156   ->  76  

	No scanning or other ugly activity other than the UDP attemtps.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> We got hit with what appeared to be Slapper.B a couple of days ago.
> Thought we'd gotten it under control, but machines that were infected and
> have _supposedly_ been cleaned (files removed from /tmp, rogue httpds
> killed) are still pinging suspiciously.
> Has anyone else seen this?  I only have traffic logs to go on, so I'm
> working blind.  The "phone home" IPs include,, 
>,,, and
> Thanks.
> Pat Wilson
> Network Security Manager
> UCSD ACS/Network Operations
> paw at ucsd.edu
> 6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015

More information about the unisog mailing list