OpenSSL worm in the wild
Russell Fulton
r.fulton at auckland.ac.nz
Sat Sep 14 04:22:27 EDT 2002
On Sat, 2002-09-14 at 08:22, Peter Van Epp wrote:
> Just found our first machine that was hit at 4 this morning. Looks
> like a fast spreading worm because it has found lots of other people to chat
> with on UDP port 2002 in between doing port scans of port 80 (as usual,
> argus to the rescue :-) ...) I expect a perl script to check for this is
> in order as well (although, again as usual the mark one eyeball does a fine
> job too):
Hmmm... interesting, so far I have seen no increase in 443 scanning
(nothing at all so far this weekend). What algorithim does it use to
select addressess to scan? Not random I take it.
AusCERT have issued an advisory:
http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.06.txt
--
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
"It aint necessarily so" - Gershwin
More information about the argus
mailing list