[unisog] Slapper.B remnants?
Peter Van Epp
vanepp at sfu.ca
Wed Sep 25 14:55:20 GMT 2002
We took a slapd-b hit yesterday morning (ironically the machine had
been patched when Martin put out the ssl patch on the local linux security
list, but httpd wasn't restarted). They with Martin's help did clean (and
reboot) the machine and they look clean this morning. It I supress inbound
web accesses there is only a tasteful icmp URP at a braindead windows box
on port 139 and a couple of whois queries (probably looking for the attacker)
from the box all night. It looks like they have managed to clean up OK.
The original hit looked like this:
Tue 09/24 01:22:28 d tcp 22.214.171.124.56263 <-> 142.58.xxx.yyy.443 271
336 27048 30772 EST
Tue 09/24 01:22:28 d tcp 126.96.36.199.56262 <-> 142.58.xxx.yyy.443 6
8 290 3436 EST
Tue 09/24 01:22:41 tcp 142.58.xxx.yyy.39418 |> 188.8.131.52.25 13
11 172 262 RST
Then settled in to this (presumably polling the mother ship who
has been advised):
Tue 09/24 03:09:04 udp 142.58.xxx.yyy.4156 -> 184.108.40.206.4156 76
0 2736 0 INT
Tue 09/24 03:24:12 udp 142.58.xxx.yyy.4156 -> 220.127.116.11.4156 76
No scanning or other ugly activity other than the UDP attemtps.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
> We got hit with what appeared to be Slapper.B a couple of days ago.
> Thought we'd gotten it under control, but machines that were infected and
> have _supposedly_ been cleaned (files removed from /tmp, rogue httpds
> killed) are still pinging suspiciously.
> Has anyone else seen this? I only have traffic logs to go on, so I'm
> working blind. The "phone home" IPs include 18.104.22.168, 22.214.171.124,
> 126.96.36.199, 188.8.131.52, 184.108.40.206, and 220.127.116.11.
> Pat Wilson
> Network Security Manager
> UCSD ACS/Network Operations
> paw at ucsd.edu
> 6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015
More information about the unisog