OpenSSL worm in the wild
Peter Van Epp
vanepp at sfu.ca
Fri Sep 13 16:22:13 EDT 2002
Just found our first machine that was hit at 4 this morning. Looks
like a fast spreading worm because it has found lots of other people to chat
with on UDP port 2002 in between doing port scans of port 80 (as usual,
argus to the rescue :-) ...) I expect a perl script to check for this is
in order as well (although, again as usual the mark one eyeball does a fine
job too):
13 Sep 02 04:03:58 tcp 217.153.81.210.49378 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:03:58 tcp 217.153.81.210.49381 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:03:58 tcp 217.153.81.210.49383 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:03:59 tcp 217.153.81.210.49384 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:03:59 tcp 217.153.81.210.49385 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:03:59 tcp 217.153.81.210.49386 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:04:00 tcp 217.153.81.210.49387 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:04:00 tcp 217.153.81.210.49390 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:04:03 tcp 217.153.81.210.49392 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:04:04 tcp 217.153.81.210.49393 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:04:04 tcp 217.153.81.210.49394 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:05:05 udp 192.217.228.39.2002 <-> aaa.bb.ccc.dd.2002 1 1 102 60 ACC
13 Sep 02 04:04:04 tcp 217.153.81.210.49531 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:05:05 udp 192.217.228.39.2002 <-> aaa.bb.ccc.dd.2002 1 1 60 70 ACC
13 Sep 02 04:05:05 udp aaa.bb.ccc.dd.2002 <-> 141.211.107.134.2002 1 1 102 60 ACC
13 Sep 02 04:04:05 tcp 217.153.81.210.49550 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:04:05 tcp 217.153.81.210.49553 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:05:06 udp aaa.bb.ccc.dd.2002 <-> 65.126.190.2.2002 1 1 102 60 ACC
13 Sep 02 04:05:06 udp aaa.bb.ccc.dd.2002 <-> 208.254.142.45.2002 1 1 102 60 ACC
13 Sep 02 04:05:07 udp aaa.bb.ccc.dd.2002 -> 209.41.200.120.2002 1 0 83 0 INT
13 Sep 02 04:04:05 tcp 217.153.81.210.49554 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:05:06 udp aaa.bb.ccc.dd.2002 <-> 66.134.87.107.2002 1 1 83 60 ACC
13 Sep 02 04:05:06 udp aaa.bb.ccc.dd.2002 <-> 211.239.150.170.2002 1 1 83 60 ACC
13 Sep 02 04:05:06 udp aaa.bb.ccc.dd.2002 -> 24.91.41.104.2002 1 0 83 0 INT
13 Sep 02 04:04:06 tcp 217.153.81.210.49555 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:04:06 tcp 217.153.81.210.49556 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:04:06 tcp 217.153.81.210.49557 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:04:07 tcp 217.153.81.210.49558 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:04:07 tcp 217.153.81.210.49559 -> aaa.bb.ccc.dd.443 2 1 140 74 EST
13 Sep 02 04:04:08 tcp 217.153.81.210.49565 -> aaa.bb.ccc.dd.443 7 7 760 1726 EST
13 Sep 02 04:05:09 udp aaa.bb.ccc.dd.2002 <-> 160.36.28.79.2002 1 1 102 60 ACC
13 Sep 02 04:05:09 udp aaa.bb.ccc.dd.2002 -> 140.116.246.90.2002 1 0 83 0 INT
13 Sep 02 04:05:09 udp aaa.bb.ccc.dd.2002 -> 62.99.176.58.2002 1 0 83 0 INT
13 Sep 02 04:05:09 udp aaa.bb.ccc.dd.2002 <-> 211.239.151.38.2002 1 1 83 60 ACC
13 Sep 02 04:04:08 tcp 217.153.81.210.49566 -> aaa.bb.ccc.dd.443 254 609 114583 145850 EST
13 Sep 02 04:05:07 udp aaa.bb.ccc.dd.2002 -> 202.9.144.251.2002 1 0 83 0 INT
13 Sep 02 04:05:09 udp aaa.bb.ccc.dd.2002 <-> 193.79.99.16.2002 1 1 83 60 ACC
... (lots and lots more until urp something ate the network connection ...)
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
From this morning on Bugtraq:
> From: Dave Ahmad <da at securityfocus.com>
>
> Ok,
>
> The incident analysis team over here is examining this thing. At first
> glance it looks reasonably sophisticated. Looks to me like it exploits
> the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
> It seems to pick targets based on the "Server:" HTTP response field.
> Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
> setting it to ProductOnly to turn away at least this version of the exploit
> until fixes can be applied. Another thing to note is that it communicates
> with its friends over UDP / port 2002.
>
> I'd like to request IP addresses of hosts that have been compromised or
> that are currently attacking systems from anyone who is comfortable
> sharing this information. We wish to run it through TMS (formerly
> known as ARIS) to see how quickly it is propagating.
>
> David Ahmad
> Symantec
> http://www.symantec.com/
>
More information about the argus
mailing list