OpenSSL worm in the wild

Russell Fulton r.fulton at
Sat Sep 14 04:22:27 EDT 2002

On Sat, 2002-09-14 at 08:22, Peter Van Epp wrote:
> 	Just found our first machine that was hit at 4 this morning. Looks 
> like a fast spreading worm because it has found lots of other people to chat
> with on  UDP port 2002 in between doing port scans of port 80 (as usual,
> argus to the rescue :-) ...) I expect a perl script to check for this is 
> in order as well (although, again as usual the mark one eyeball does a fine
> job too):

Hmmm... interesting, so far I have seen no increase in 443 scanning
(nothing at all so far this weekend).  What algorithim does it use to
select addressess to scan?   Not random I take it.

AusCERT have issued an advisory:


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

More information about the argus mailing list